FedRAMP Assessment Process and Templates

The Federal Risk Assessment and Management Program is the joint NIST-GSA program which oversees the US governmental installations of cloud-based systems.

The FedRAMP program has produced templates and guidelines for each area of the cloud deployment of system for federal agencies which require ATO and periodic testing under FISMA requirements and all if these efforts are in conformance to SP 800-53 and SP 800-37 criteria.

I have included the testing guide for the controls here from the FedRAMP site (http://www.fedramp.gov/), but there are many other documents of relevance there also, including SAP and SAR templates, guides for Third-Party Assessment Organizations (3PAOs) who do the actual assessments following FedRAMP and NIST guides, and other acquisition guidance.

Executive summary

This is a draft document to allow interested parties to review the proposed test cases for the FedRAMP implementation of NIST 800-53 Revision 4. The Program Management Office (PMO) anticipates releasing the finalized test cases in a workbook like previous versions, but felt that editing and tracking of changes to the draft is easier in this format. Interested parties can send feedback to the PMO at the email address below.

Document Revision History

Date	Page(s)	Description	Author
6/6/2014	All	Initial Draft	FedRAMP

Executive Summary e3

How to Contact us e4

1. Access Control (AC) e4

2. Awareness and Training (AT) e22

3. Audit and Accountability (AU) e24

4. Security Assessment and Authorization (CA) e32

5. Configuration Management (CM) e38

6. Contingency Planning (CP) e51

7. Identification and Authentication (IA) e61

8. Incident Response (IR) e74

9. Maintenance (MA) e81

10. Media Protection (MP) e89

11. Physical and Environmental Protection (PE) e94

12. Planning (PL) e104

13. Personnel Security (PS) e107

14. Risk Assessment (RA) e113

15. System and Services Acquisition (SA) e120

16. System and Communications Protection (SC) e132

17. System and Information Integrity (SI) e144

How to contact us

Questions about FedRAMP or this document should be directed to info@fedramp.gov.

For more information about FedRAMP, visit the website at http://www.fedramp.gov.

Access Control (AC)

AC-1

Examine information security program documentation for the organization access control policy is reviewed and updated at least every three years.

Examine organization access control policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the access control policy and associated access controls and that the, procedures are reviewed and updated at least annually.

Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy was disseminated to the organizational elements.

Examine information security program documentation for the organization access control procedures.

Examine organization access control procedures for evidence that the procedures facilitate implementation of the access control policy and associated access control controls.

Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy is reviewed and updated at least every three years, and the procedures at least annually.

AC-2

Examine access control policy, account management procedures, security plan, or other relevant documents for the measures to be employed in managing information system accounts, including identifying organization-defined account types, assigning account managers; establishing conditions for group and role membership; identifying authorized users of the information system, group and role membership, access authorizations, and other attributes (as required) for each account; approvals by organization-defined personnel or roles for requests to create information system accounts; creating, enabling, modifying, disabling, and removing accounts in accordance with organization-defined procedures and conditions; monitoring the use of information system accounts; notifying account managers when accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; authorizing access to the system based on a valid access authorization, intended system usage, and other attributes as required by the organization or associated missions/business functions; reviewing accounts for compliance with account management requirements on an organization-defined frequency, and establishing a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Examine a sample of records associated with the process for deactivating accounts of terminated or transferred employees for evidence that the measures are being applied to deactivate accounts of terminated or transferred users.

Examine a sample of records associated with the process for granting access to the information system based on valid access authorization, intended system usage, other organizational attributes or associated missions/business functions for evidence that the measures are being applied.

Examine a sample of records associated with the process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group for evidence that the measures are being applied.

Interview a sample of organizational personnel with account management responsibilities for further evidence that the measures are being applied to identify account types, establish conditions for group membership, and require appropriate approvals for requests to establish accounts, as well as to reissue shared/group account credential when individuals are removed from the group.

Interview a sample of organizational personnel with account management responsibilities for further evidence that the measures are being applied to establish, activate, modify, disable, and remove accounts.

Interview a sample of organizational personnel with account management responsibilities; conducting discussions for further evidence that the measures are being applied to notify account managers when accounts are no longer required, information system users are terminated, transferred, or information system usage, or need-to-know/need-to-share changes.

Interview a sample of organizational personnel with account management responsibilities; conducting discussions for further evidence that the measures are being applied to grant access to the system based on a valid access authorization, intended system usage, and other attributes as required by the organization or associated mission/business functions.

Examine security plan for the frequency of information system account reviews.

Examine documentation for a sample of information system account reviews for evidence that information system accounts are reviewed in accordance with the required frequency.

AC-2 (1)

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to support information system account management functions.

Examine documentation describing the current configuration settings for a sample of the automated mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the automated mechanisms and their configuration settings conducting testing for evidence that these mechanisms are operating as intended.

AC-2 (2)

Examine security plan for the time period after which the information system removes and/or disables temporary and emergency accounts for each type of account.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to remove and/or disable temporary and emergency accounts after the required time period for each type of account.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured required.

Test a sample of the mechanisms and their configuration settings conducting testing for evidence that these mechanisms are operating as intended.

AC-2 (3)

Examine security plan for the time period after which the information system disables inactive accounts.

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to automatically disable inactive accounts after the required time period.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

AC- 2 (4)

Examine security plan, information system design documentation, or other relevant documents; for the mechanisms and their configuration settings to be employed to audit account creation, modification, enabling, disabling, and removal actions.

Test a sample of the mechanisms and their configuration settings conducting testing for evidence that these mechanisms are operating as intended to audit account creation, modification, enabling, disabling, and removal actions.

Examine account management policy, procedures addressing account management, security plan, or other relevant documents; for the notifications deemed required by the organization with regard to account management actions and for the individuals deemed appropriate by the organization to receive these notifications.

Note to assessor: The identification of when notification is required and to whom the notification should be provided need only be specific enough to enable determination of whether the organizational intent is being achieved; for example, the individuals need not be called out by name but may be defined by the positions or roles that need to receive the notification.

Examine security plan, information system design documentation, or other relevant documents; for the mechanisms and their configuration settings to be employed to accomplish the required notifications. Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel with account management responsibilities for further evidence that the mechanisms and configurations are being applied.

Test a sample of the mechanisms and their configuration settings conducting testing for evidence that these mechanisms are operating as intended.

AC-2 (5)

Examine access control policy, procedures addressing account management controls, security plan, or other relevant documents for the requirement for users to log out when organization-defined time-period of inactivity occurs or in accordance with organization-defined description of when to log out.

Interview a sample of organizational personnel with logical access to the information system for further evidence that the measures are being applied.

Test the system to ensure that the organizational-defined time period is appropriately enforced.

AC-2 (7)

Examine access control policy, procedures addressing account management, security plan, or other relevant documents for the role-based access scheme to be employed to organize information system and network privileges into roles.

Examine security plan, information system design documentation, or other relevant documents for their configuration settings to be employed to establish and administer privileged user accounts in accordance with the role-based access scheme.

Examine access control policy, procedures addressing account management, security plan, or other relevant documents for the organization-defined actions that are taken when privileged role assignments are no longer appropriate.

Interview a sample of organizational personnel with account management responsibilities; conducting discussions for further evidence that the role-based access scheme being applied to organize information system and network privileges into roles using the identified mechanisms.

Examine access control policy, procedures addressing account management, security plan, information system design documentation, or other relevant documents for the measures (including mechanisms and configuration settings) to be employed to monitor privileged role assignments.

Examine a sample of information system audit records, audit tracking and monitoring reports, or other relevant documents associated with an information system-generated list of current privileged user accounts and related roles for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for monitoring privileged role assignments conducting discussions for further evidence that the measures are being applied.

AC-2 (9)

Examine access control policy, procedures addressing account management controls, security plan, or other relevant documents for the time period that users are required to log out due to expected inactivity.

Examine access control policy, procedures addressing account management controls, security plan, or other relevant documents for the description of when users are required to log out.

Interview a sample of organizational personnel with logical access to the information system for further evidence that the measures are being applied.

AC-2 (10)

Examine access control policy, procedures addressing account management controls, security plan, or other relevant documents for the requirement to terminate shared/group account credentials when members leave the group.

Interview a sample of personnel with responsibilities for configuring the automated mechanism for further evidence that the measures are being applied and that reports of atypical usage are disseminated appropriately.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required to terminate shared/group account credentials when members leave the group.

Test a sample of the mechanisms and their configuration settings conducting testing for evidence that these mechanisms are operating as required to terminate shared/group account credentials when members leave the group.

AC-2 (12)

Examine access control policy, procedures addressing account management controls, security plan, information system design documentation, or other relevant documents for the circumstances and/or usage conditions enforced for accounts in the information system.

Interview a sample of organizational personnel responsible for tracking and monitoring the use of information system accounts for further evidence that the measures are being applied.

Test the automated monitoring and reporting mechanisms and their configuration settings conducting testing for evidence that these mechanisms are operating as intended.

AC-3

Examine access control policy, procedures addressing access enforcement, security plan, information system design documentation, or other relevant documents for the measures to be employed to enforce approved authorizations for logical access to the system or system resources in accordance with applicable policy.

Examine documentation describing the current configuration settings for evidence that these mechanisms are configured as required.

Examine documentation describing the current user privileges on the information system for a sample of information system users, along with the list of approved authorizations (user privileges) for evidence that the user privileges on the information system are consistent with the approved user authorizations.

Test a sample of the processes and/or configuration settings conducting testing for evidence that these mechanisms are operating as intended.

AC-4

Examine applicable policy, procedures addressing information flow enforcement, security plan, or other relevant documents for the policy controlling the flow of information within the system and between interconnected systems.

Examine applicable policy, procedures addressing information flow enforcement, security plan, or other relevant documents for the approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with the applicable policy.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are controlling the flow of information within the system and between interconnected systems as required.

Test the current configuration settings for evidence that these mechanisms are controlling the flow of information within the system and between interconnected systems as intended.

AC-4 (21)

Examine information flow enforcement policy, information flow control policies, information system design documentation, or other relevant documents for a list of types of information that are required to be in separate information flows, and showing the mechanisms and/or techniques to be used in separating the information flows.

Test a sample of the automated mechanisms and their configuration settings, conducting testing for evidence that these mechanisms are operating as intended for each of the specified information types.

Interview a sample of organizational officials responsible for information flow enforcement and transmission processes for further evidence that the measures are being applied.

AC-5

Examine access control policy, procedures addressing divisions of responsibility and separation of duties, security plan, or other relevant documents for measures to be employed to separate duties of individuals.

Interview a sample of organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties for the information system for evidence that the measures are being applied.

Examine access control policy, procedures addressing divisions of responsibility and separation of duties, security plan, or other relevant documents for the measures to be employed to document separation of duties for the information system.

Examine job descriptions, position descriptions, or other relevant documents for a sample of individuals providing information system support functions for evidence that the measures are being applied

Examine access control policy, procedures addressing divisions of responsibility and separation of duties, security plan, information system design documentation, or other relevant documents for evidence of defined access authorizations supporting separation of duties.

Examine access authorizations, access control profiles, and the duties and responsibilities documented for a sample of information system users for evidence that the measures are being applied.

Test a sample of mechanisms and their configuration settings conducting testing for evidence that these separation of duties policies and procedures are implemented as intended.

AC-6

Examine account control policy, procedures addressing least privilege, security plan, information system design documentation, or other relevant documents for the measures (including automated mechanisms and their configuration settings) to be employed to enforce the concept of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine assigned access authorizations (user privileges) and required functions necessary to accomplish assigned tasks for a sample of information system users for evidence that the measures are being applied.

Interview a sample of organizational personnel with responsibilities for employing the concept of least privilege for further evidence that the measures are being applied.

Test a sample of the automated mechanisms and their configuration settings for further evidence that these mechanisms are operating as intended.

AC-6 (1)

Examine access control policy, procedures addressing least privilege, security plan, or other relevant documents for the security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized.

Examine access control policy, procedures addressing least privilege, security plan, or other relevant documents for the measures to be employed to explicitly authorize access to the security functions and security-relevant information as required.

Examine access authorization approvals for a sample of information system accounts with access to the security functions and security-relevant information for evidence that the measures are being applied to explicitly authorize access.

Interview a sample of organizational personnel with responsibilities for authorizing access to security functions and security-relevant information for further evidence that the measures are being applied.

AC-6 (2)

Examine access control policy, procedures addressing least privilege, security plan, or other relevant documents for the security functions or security-relevant information to which users of information system accounts, or roles, have access.

Examine access control policy, procedures addressing least privilege, security plan, or other relevant documents for the requirement that users of information system accounts, or roles, with access to the security functions or security-relevant information use non-privileged accounts when accessing non-security functions.

Examine access control policy, procedures addressing least privilege, security plan, or other relevant documents for the measures to determine organization-defined security functions or security-relevant information.

Interview a sample of individuals with privileged accounts or roles to determine that non-privilege accounts are used appropriately.

AC-6 (5)

Examine access control policy, information system design documentation, security plan, or other relevant documents for a list of defined personnel or roles for which privileged accounts are to be restricted.

Interview a sample of organizational personnel with responsibilities for defining the personnel or roles which are to be restricted for further evidence that the measures are being applied.

Examine a sample of personnel or roles for evidence that privileged accounts are assigned only to those the organization has identified.

AC-6 (9)

Examine access control policy, procedures addressing least privilege, security plan, or other relevant documents for the list of privileged functions to be audited.

Examine documentation describing the current configuration settings for a sample of the automated mechanisms for evidence that these mechanisms are configured as required and intended.

Test a sample of the automated mechanisms and their configuration settings conducting testing for further evidence that the mechanisms audit the execution of privileged functions as intended.

Examine audit logs generated by the automated mechanisms for further evidence that the auditing mechanisms capture all required audit data related to the execution of privileged functions.

Interview a sample of organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks, conducting discussions for further evidence that the measures are being applied to ensure the system audits the execution of privileged functions.

AC-6 (10)

Examine information flow enforcement policy, information flow control policies, information system design documentation, or other relevant documents for the mechanisms and/or techniques to be implemented in separating, logically or physically, the types of information which are required to be in separate information flows.

Test a sample of the automated mechanisms and their configuration settings, conducting testing using a vulnerability scanner for evidence that these mechanisms are operating as intended for each of the specified information types.

Interview a sample of organizational officials responsible for information flow enforcement and transmission processes for further evidence that the measures are being applied.

AC-7

Examine access control policy, procedures addressing unsuccessful login attempts, security plan, or other relevant documents the maximum number of consecutive invalid login attempts to the information system by a user and the time period in which the consecutive invalid attempts occur.

Examine security plan, information system design documentation, or other relevant documents the automated mechanisms and their configuration settings to be employed to enforce the limit of consecutive invalid login attempts during the required time period.

Examine documentation describing the current configuration settings for a sample of the mechanisms evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

Examine access control policy, procedures addressing unsuccessful login attempts, security plan, or other relevant documents one of the following selected actions to be taken by the system when the maximum number of unsuccessful login attempts is exceeded:

– Lock out the account/node for a specified time period;

– Lock out the account/note until released by an administrator; or

– Delay the next login prompt according to organization-defined delay algorithm;

Examine security plan, information system design documentation, or other relevant documents the automated mechanisms and their configuration settings to be employed to enforce the defined action when the maximum number of unsuccessful login attempts is exceeded.

Examine documentation describing the current configuration settings for a sample of the automated mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the automated mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to enforce the defined action when the maximum number of unsuccessful login attempts is exceeded for local and network logins.

Examine documentation describing the current configuration settings for a sample of the automated evidence that these mechanisms are configured as required.

AC-8

Examine access control policy, privacy and security policy, procedures addressing system use notification, security plan, or other relevant documents for the measures to be employed to approve the organization-defined information use notification message or banner to be displayed by the information system before granting access to the system.

Examine documented approval of information system use notification message or banner displayed by the information system before granting access to the system for evidence that the measures are being applied.

Examine security plan, information system design documentation, or other relevant documents for the configuration settings to be employed to display the approved system use notification message or banner before granting access to the system.

Examine documentation describing the current configuration settings for that the banner is displayed as required.

Test for evidence that these mechanisms are operating as intended.

Examine access control policy, privacy and security policy, procedures addressing system use notification, security plan, or other relevant documents for the applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance that establish the appropriate privacy and security notices to be provided when the information system displays an approved system use notification message or banner before granting access to the system.

Examine information system use notification message or banner for evidence that the system use notification message or banner provides privacy and security notices consistent with the applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that users are accessing a U.S. Government information system; system usage may be monitored, recorded, and subject to audit; unauthorized use of the system is prohibited and subject to criminal and civil penalties; and use of the system indicates consent to monitoring and recording.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to retain the notification message or banner on the screen until the user takes explicit actions to log on to or further access the information system.

Examine documentation describing the current configuration settings for evidence that these mechanisms are configured as required.

AC-10

Examine access control policy, procedures addressing concurrent session control, security plan, or other relevant documents for the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to limit the number of concurrent sessions for each organization-defined account and/or account type to the maximum allowable number of sessions.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms implementing the access control policy for concurrent session control for evidence that these mechanisms are operating as intended.

AC-11

Examine access control policy, procedures addressing session lock, security plan, or other relevant documents for the time period of user inactivity after which the information system initiates a session lock.

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to initiate a session lock after the defined time period of inactivity or upon receiving a request from a user.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

Examine identification and authentication procedures for the procedures established for users to reestablish access to the information system when the information system initiates a session lock after the defined time period of or upon receiving a request from a user.

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to retain the session lock until the user reestablishes access using the established identification and authentication procedures.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for conducting testing for evidence that these mechanisms are operating as intended.

AC-11(1)

Examine security plan, information system design documentation, or other relevant documents for the information system session lock mechanisms and their configuration settings to be employed that, when activated on a device with a display screen, places a publicly viewable pattern onto the display screen, hiding what was previously visible on the screen.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

AC-12

Examine the security plan, information system design documentation, or other relevant documents for evidence that the automated mechanisms and their configuration settings to be employed to terminate user sessions when meeting the specified conditions or trigger events.

Examine documentation describing the current configuration settings for a sample of the automated mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the automated mechanisms and their configuration settings; conducting testing for evidence that user sessions are terminated when meeting the organization defined conditions or triggers events.

Examine the security plan, information system design documentation, or other relevant documents for evidence the organization has defined conditions or trigger events which require session disconnect.

AC-14

Examine access control policy, procedures addressing permitted actions without identification and authentication, security plan, or other relevant documents for the specific user actions that can be performed on the information system without identification and authentication.

Examine security plan for the supporting rationale for user actions not requiring identification and authentication.

AC-17

Examine access control policy, procedures addressing remote access to the information system, security plan, or other relevant documents for the usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.

Examine remote access monitoring records for a sample of allowed remote access methods for evidence that the measures are being applied.

Interview a sample of organizational personnel with remote access monitoring responsibilities for further evidence that the measures are being applied.

Examine access control policy, procedures addressing remote access to the information system, security plan, or other relevant documents for the measures to be employed to authorize remote access to the information system prior to connection.

Examine authorization approvals for a sample of remote access connections to the information system for evidence that the measures are being applied to authorize remote access prior to connection.

Examine access control policy, procedures addressing remote access to the information system, security plan, or other relevant documents for the measures to be employed to enforce requirements for remote connections to the information system.

Examine configuration settings and associated documentation for a sample of remote access connections to the information system for evidence that the measures are being applied to enforce requirements for remote connections to the information system.

Interview a sample of organizational personnel with remote access control responsibilities for further evidence that the measures are being applied.

Test a sample of the remote access methods for the information system for evidence that these mechanisms are operating as intended.

AC-17 (1)

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to facilitate the monitoring and control of remote access methods.

Note to assessor: An example of an automated control action, in a client-server environment, individual clients are polled (monitored) by the server and their security status is verified prior to the server granting access.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

AC-17 (2)

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to implement cryptography to protect the confidentiality and integrity of remote access sessions.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as intended.

Test a sample of the automated mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

AC-17 (3)

Examine security plan, information system design documentation, or other relevant documents for organization-defined managed network access control points for remote access to the information system.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to route all remote access through the managed network access control points.

Examine documentation describing the current configuration settings for evidence that these mechanisms are configured as required.

Test the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

AC-17 (4)

Examine access control policy, procedures addressing remote access to the information system, security plan, or other relevant documents for the organization-defined needs to authorize remote access to privileged commands and security-relevant information. Examine access control policy, procedures addressing remote access to the information system, security plan, or other relevant documents for the measures to be employed to authorize the execution of privileged commands and access to security-relevant information via remote access only for the organization-defined needs. Examine authorization approvals for a sample of remote access accounts with access to privileged commands and security-relevant information for evidence that the measures are being applied.

Interview a sample of organizational personnel with remote access authorization responsibilities for further evidence that the measures are being applied.

Examine security plan to ensure that the rationale for the execution of privileged commands and access to security-relevant information is documented.

AC-17 (9)

Examine the security plan, information system design documentation, or other relevant documents for evidence that the time period to terminate remote access from the information system has been defined.

Examine documentation describing the manner in which the organization will expeditiously disconnect or disable remote access from the information system.

Test a remote access session; conducting testing for evidence that the session can be terminated within the defined time period.

Interview a sample of organizational personnel responsible for remote session termination responsibilities about the process for conducting remote access termination, evidence that the measures are being employed and the personnel have been trained.

AC-18

Examine access control policy, procedures addressing wireless implementation and usage restrictions, security plan, or other relevant documents for the usage restrictions, configuration/connection requirements, and implementation guidance for wireless access.

Examine access control policy, procedures addressing wireless implementation and usage restrictions, security plan, or other relevant documents for the measures to be employed to authorize wireless access to the information system prior to connection.

Examine authorization approvals for a sample of wireless access connections to the information system for evidence that the measures are being applied to authorize wireless access prior to connection.

Interview a sample of organizational personnel responsible for authorizing wireless access connections to the information system for further evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for controlling wireless connections to the information system for further evidence that the measures are being applied.

Test the wireless access usage and restrictions for evidence that these mechanisms are operating as intended.

AC-18 (1)

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to protect wireless access to the system using user and/or device authentication and encryption.

Examine documentation describing the current configuration settings for evidence that these mechanisms are configured as required.

Test the mechanisms implementing the access control policy for wireless access to the information system for evidence that these mechanisms are operating as intended.

AC-19

Examine access control policy, procedures addressing access control for portable and mobile devices, security plan, or other relevant documents for the usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices.

Examine authorization approvals for a sample of mobile devices with connection to the information system for evidence that mobile device connections are authorized.

Interview a sample of organizational personnel responsible for authorizing mobile device connections to the information system for further evidence that the measures are being applied.

Test the mechanisms implementing access control policy for portable and mobile devices for evidence that these mechanisms are operating as intended.

AC-19 (5)

Examine the security plan, information system design documentation, or other relevant documents conducting review for encryption procedures and technologies employed on mobile devices.

Examine documentation describing the current configuration settings for a sample of cryptographic modules for evidence that these modules are configured as required.

Test a sample of applicable mobile devices; conducting testing for evidence that encryption is operating as intended.

Interview a sample of organizational personnel with mobile device encryption responsibilities conducting discussions for evidence that encryption is being employed on mobile devices correctly.

AC-20

Examine access control policy, procedures addressing the use of external information systems, security plan, or other relevant documents for the individuals authorized to access the information system from the external information systems and process, store, and/or transmit organization-controlled information using the external information systems

Examine access control policy, procedures addressing the use of external information systems, security plan, or other relevant documents for the terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems; and process, store, and/or transmit organization-controlled information using the external information system

AC-20 (1)

Examine documents addressing the use of external information systems, security plan, or other relevant documents for the measures to be employed to permit only authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information when the organization can verify the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or has approved information system connection or processing agreements with the organizational entity hosting the external information system.

Examine records verifying the implementation of required security controls on the external information systems for a sample of external information systems used to access the organizational information system for evidence that the measures are being applied to verify the implementation of required security controls on external systems.

Examine documented connection approvals or processing agreements for a sample of external information systems used to access the organizational information system for evidence that the measures are being applied to approve information system connections or processing agreements.

Interview a sample of organizational personnel responsible for authorizing individuals to use external information systems to access the organizational information system for further evidence that the measures are being applied to verify the implementation of required security controls on external systems.

Interview a sample of organizational personnel responsible for authorizing individuals to use external information systems to access the organizational information system for further evidence that the measures are being applied to approve information system connections or processing agreements.

AC-20 (2)

Examine access control policy, procedures addressing the use of external information systems, security plan, or other relevant documents for the measures to be employed to restrict or prohibit the use of organization-controlled portable storage devices by authorized individuals on external information systems.

Interview a sample of organizational personnel responsible for controlling the use of portable storage devices for evidence that the measures are being applied.

AC-21

Examine the access control policy, security plan, information system design documentation, or other relevant documents conducting review for evidence that information sharing processes and mechanisms are in place.

Examine the access control policy, security plan, information system design documentation, or other relevant documents conducting review for the list of users and/or resources authorized to make information sharing decisions.

Examine the access control policy, security plan, information system design documentation, or other relevant documents conducting review for evidence that a list of information sharing circumstances requiring user discretion is defined.

Interview organizational personnel responsible for information sharing decisions conducting discussions for evidence the organization defines information sharing circumstances where user discretion is required.

Interview organizational personnel responsible for information sharing decisions conducting discussions for evidence the organization facilitates information sharing by enabling authorized users to make access authorizations to sharing partners matching the appropriate access restrictions.

Interview organizational personnel responsible for information sharing decisions conducting discussions for evidence the organization employs automated mechanisms or manual processes to assist authorized users in making information sharing decisions.

Test a sample of automated mechanisms or manual processes conducting testing for evidence these processes are operating as intended.

AC-22

Examine access control policy, procedures addressing publicly accessible content, security plan, or other relevant documents for the individuals authorized to post information onto an onto a publicly accessible information system.

Examine access control policy, procedures addressing publicly accessible content, training materials, security plan, or other relevant documents for the measures to be employed to train the authorized individuals to ensure that publicly accessible information does not contain nonpublic information.

Examine training records for a sample of individuals authorized to post information onto an organizational information system for evidence that the measures are being applied.

Examine access control policy, procedures addressing publicly accessible content, security plan, or other relevant documents for the measures to be employed to review the proposed content of publicly accessible information for nonpublic information prior to posting onto the information system.

Examine records of publicly accessible information reviews for a sample of information posted on the organizational information system for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for reviewing proposed content of publicly accessible information for further evidence that the measures are being applied.

Examine access control policy, procedures addressing publicly accessible content, security plan, or other relevant documents for the organization-defined frequency of reviewing the content on the publicly accessible organization information system for nonpublic information.

Examine access control policy, procedures addressing publicly accessible content, security plan, or other relevant documents for the measures to be employed to review the content on the publicly accessible organization information system for nonpublic information in accordance with the required frequency.

Examine a sample of records of publicly accessible information reviews for evidence that the measures are being applied.

Examine access control policy, procedures addressing publicly accessible content, security plan or other relevant documents for the measures to be employed to remove nonpublic information from the publicly accessible organizational information system, if discovered.

Examine information on the publicly accessible information system and a sample of records of publicly accessible information reviews for evidence that measures are being applied to remove nonpublic information from the publicly accessible information system, if discovered.

Interview a sample of organizational personnel responsible for managing publicly access information posted on the information system for further evidence that the measures are being applied to remove nonpublic information from the publicly accessible information system, if discovered.

Awareness and Training (AT)

AT-1

Examine information security program documentation for the organization security awareness and training policy and that the security awareness and training policy is reviewed and updated at least every three years.

Examine organization security awareness and training policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the security awareness and training policy and associated security awareness and trainings and that the procedures are reviewed and updated at least annually.

Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy was disseminated to the organizational elements.

Examine information security program documentation for the organization security awareness and training procedures.

Examine organization security awareness and training procedures for evidence that the procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls.

Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy is reviewed and updated at least every three years, and the procedures at least annually.

AT-2

Examine security awareness and training policy, procedures addressing security awareness training implementation, security plan, or other relevant documents the measures to be employed to provide basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users and when required by system changes.

Examine training records for a sample of information system user’s evidence that the measures are being applied.

Examine security awareness and training policy, security plan, or other relevant documents the organization-defined frequency of refresher security awareness training.

Examine training records for a sample of information system user’s evidence that refresher security awareness training is provided in accordance with the organization defined required frequency.

Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness is conducted for new users, when required by system changes, and at least annually.

AT-2 (2)

Examine security awareness and training policy addressing course content, security awareness training curriculum or other relevant materials for the practical exercises to be included in security awareness training that covers recognizing and reporting potential indicators of insider threat.

AT-3

Examine security awareness and training policy, procedures addressing security training implementation, security plan, or other relevant documents for the measures to be employed to provide role based security-related training before authorizing access to the system or performing assigned duties, and when required by system changes.

Examine training records for a sample of organizational personnel with significant information system security responsibilities evidence that the measures are being applied.

Interview a sample of organizational personnel with responsibilities for role-based, security-related training for further evidence that the measures are being applied.

Examine security awareness and training policy, security plan, or other relevant documents the organization-defined frequency of refresher role-based security-related training.

Examine training records for a sample of organizational personnel with significant information system security responsibilities evidence that refresher role based, security-related training is provided in accordance with the organization-defined required frequency.

AT-4

Examine the security training materials evidence that the materials address the procedures and activities necessary to fulfill the organization-defined roles and responsibilities for information system security.

Interview a sample of organizational personnel with responsibilities for role-based, security-related training; conducting discussions for further evidence that the measures are being applied.

Examine security awareness and training policy, security plan, or other relevant documents for the frequency of refresher role-based security-related training.

Examine the security training records for indications that refresher security training has been provided in accordance with the required frequency.

Audit and Accountability (AU)

AU-1

Examine information security program documentation for the organization audit and accountability policy and that the audit and accountability policy is reviewed and updated at least every three years.

Examine organization audit and accountability policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the audit and accountability policy and procedures are reviewed and updated at least annually.

Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy was disseminated to the organizational elements.

Examine information security program documentation for the organization audit and accountability procedures.

Examine organization audit and accountability procedures for evidence that the procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls.

Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy is reviewed and updated at least every three years, and the procedures at least annually.

AU-2

Examine audit and accountability policy, procedures addressing auditable events, security plan, or other relevant documents for the list of events the information system must be capable of auditing.

Interview a sample of organizational personnel responsible for coordinating the security audit function for evidence that security audit information was used to guide the selection of auditable events.

Examine audit and accountability policy, procedures addressing auditable events, security plan, or other relevant documents for the rationale expressing why the list of auditable events is adequate to support after-the-fact investigations of security incidents.

Examine audit and accountability policy, procedures addressing auditable events, security plan, or other relevant documents for the subset of auditable events that are to be audited within the information system.

Examine audit and accountability policy, procedures addressing auditable events, security plan, or other relevant documents for the frequency of (or situation requiring) auditing for the subset of identified auditable events.

Test a sample of the mechanisms implementing information system auditing of organization-defined auditable events.

AU-2 (3)

Examine audit and accountability policy, procedures addressing auditable events, security plan, or other relevant documents for the frequency of reviews and updates to the list of auditable events.

Examine a sample of records of organizational reviews and updates to the list of auditable events for evidence that these events are reviewed and updated in accordance with the required frequency. [Annually or whenever there is a change in the threat environment].

Interview a sample of organizational personnel responsible for reviewing and updating auditable events for further evidence that these events are reviewed and updated in accordance with the required frequency. [Annually or whenever there is a change in the threat environment]

AU-3

Examine audit and accountability policy, procedures addressing content of audit records, security plan, information system design documentation, or other relevant documents for the measures (including automated mechanisms and their configuration settings) to be employed to produce audit records that contain information to, at a minimum, establish what type of event occurred; when (date and time) the event occurred; where the event occurred; the source of the event; the outcome (success or failure) of the event; and the identity of any user/subject associated with the event.

Examine documentation describing the configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required to establish what type of event occurred; when (date and time) the event occurred; where the event occurred; the source of the event; the outcome (success of failure) of the event; the identity of any user/subject associated with the event.

Examine a sample of information system audit records for evidence that the measures are being applied to establish what type of event occurred; when (date and time) the event occurred; where the event occurred; the source of the event; the outcome (success or failure) of the event; the identity of any user/subject associated with the event.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as to establish what type of event occurred; when (date and time) the event occurred; where the event occurred; the source of the event; the outcome (success of failure) of the event; identity of any user/subject associated with the event.

AU-3 (1)

Examine audit and accountability policy, procedures addressing content of audit records, security plan, or other relevant documents for additional, more detailed information to be included in audit records for audit events identified by type, location, or subject.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured required.

Examine a sample of information system audit records for evidence that the measures are being applied.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

AU-4

Examine procedures addressing audit record storage capacity, security plan, information system design documentation, or other relevant documents for the audit record storage capacity in accordance with the organization defined audit record storage requirements and the configuration settings to be employed to allocate such capacity.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the audit record storage capacity and related configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

AU-5

Examine audit and accountability policy, procedures addressing response to audit processing failures, security plan, or other relevant documents for the organizational-defined list of personnel or roles to be alerted in the event of an audit processing failure

Examine audit and accountability policy, procedures addressing response to audit processing failures, security plan, or other relevant documents; for additional actions to be taken in the event of an audit processing failure.

Test a sample of mechanisms and configuration settings for evidence that these mechanisms are operating as intended.

AU-6

Examine audit and accountability policy, procedures addressing audit review, analysis, and reporting, security plan, or other relevant documents for a list or indications of organization-defined inappropriate or unusual activity.

Examine audit and accountability policy, procedures addressing audit review, analysis, and reporting, security plan, or other relevant documents for the frequency of review and analysis.

Examine audit and accountability policy, procedures addressing audit review, analysis, and reporting, security plan, or other relevant documents for a list of organization defined personnel or roles to whom findings are reported.

Interview a sample of organizational-defined personnel who have responsible for reviewing the findings of audit review an analysis for further evidence that these review, analysis and reports are disseminated and reviewed appropriately.

Test a sample of information system audit review, analysis, and reporting capability; conducting testing for evidence that these mechanisms are operating as intended.

AU-6 (1)

Examine procedures addressing audit review, analysis, and reporting, procedures addressing investigation and response to suspicious activities, security plan, information system design documentation, or other relevant documents for the measures (including mechanisms and their configuration settings) to be employed to integrate audit review, analysis, and reporting activities into the organization’s overall process for investigation and response to suspicious activities.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel responsible for audit review, analysis, and reporting, and organizational personnel responsible for incident monitoring and response for further evidence that the measures are being applied.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

AU-6 (3)

Examine audit and accountability policy, procedures addressing audit review, analysis, and reporting, security plan, information system design documentation, or other relevant documents for the repositories whose audit records are to be analyzed and correlated to gain organization-wide situational awareness.

Examine audit and accountability policy, procedures addressing audit review, analysis, and reporting, security plan, information system design documentation, or other relevant documents for the measures (including the process and/or the automated mechanisms and their configuration settings) to be employed to analyze and correlate audit records across the identified repositories identified.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine the process to analyze and correlate audit records across a sample of the repositories observing for evidence that the process is being applied.

Interview a sample of organizational personnel responsible for audit record review, analysis, and reporting on the repositories for further evidence that the measures are being applied.

Test a sample of the automated mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

AU-7

Examine procedures addressing audit reduction and report generation, security plan, information system design documentation, or other relevant documents for the audit reduction and report generation capability, and the mechanisms and their configuration settings to be employed to ensure that it supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to support the required capability.

Interview a sample of organizational personnel responsible for information system audit review, analysis, and reporting for further evidence that the that the mechanisms support on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents.

Test a sample of the mechanisms and their configuration settings that it support on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; conducting testing for evidence that the capability is operating as intended.

Examine the output of the mechanisms for evidence that the original content or time ordering of audit records is not altered.

AU-7 (1)

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to automatically process audit records for events of interest based on organization-defined audit fields within audit records.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

AU-8

Examine security plan, information system design documentation, or other relevant documents the mechanisms and their configuration settings to be employed by using internal system clocks to generate time stamps in audit records and determine that the time stamps can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets organization-defined granularity of time measurement.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms use internal system clocks to generate time stamps as the date and time information in audit records.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are using internal system clocks to generate time stamps as the date and time information in audit records.

Note to assessor: This test must be coordinated with all responsible personnel associated with the information system. Testing of this nature may impose risk to the information system and, as such, the testing of any specific auditing mechanism should be carefully planned and executed.

AU-8 (1)

Examine the information system to ensure that the information system compares the internal information system clocks with the organization-defined authoritative time source at the organization-defined frequency.

Examine that the information system synchronizes with an organization-defined authoritative time server when the time difference is greater than the organizationally-defined time period.

Examine audit and accountability policy, procedures addressing time stamp generation, security plan, or other relevant documents for the authoritative time source for internal clock synchronization.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to synchronize internal information system clocks with the authoritative time source and in accordance with the required organization-defined frequency.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

AU-9

Examine security plan, information system design documentation, and other relevant documents for the automated mechanisms and their configuration settings to be employed to protect audit information and audit tools from unauthorized access, modification, and deletion.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to protect audit information and audit tools from unauthorized access, modification, and deletion.

Test a sample of the automated mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended protect audit information and audit tools from unauthorized access, modification, and deletion.

AU-9 (2)

Examine audit and accountability policy, procedures addressing protection of audit information, security plan, information system design documentation, or other relevant documents for the system or system component storing back up audit records and for evidence that this system or system component is different from the system being audited.

Examine audit and accountability policy, procedures addressing protection of audit information, security plan, or other relevant documents for the frequency of information system backups of audit records.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to backup audit records in accordance with the required frequency and onto the system or system component.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine a sample of information system backups of audit records stored on the system or system component for evidence that the mechanisms and configurations are being applied.

Interview a sample of organizational personnel responsible for conducting audit record backups on the system or system component for further evidence that the mechanisms and configurations are being applied.

AU-9 (4)

Examine audit and accountability policy and procedures addressing protection of audit information, security plan, information system design documentation, or other relevant documents the subset of privileged users (by name, position, or role) to be authorized access to manage audit functions for the information system and ensuring that the automated mechanisms and their configuration settings used to authorize access for managing audit functions to only privileged users.

Interview a sample of organizational personnel responsible for authorizing access to audit management functions for the information system; conducting [basic] discussions for further evidence that the mechanisms and configurations are being applied.

Test a sample of the automated mechanisms and their configuration settings testing for evidence that these mechanisms are operating as intended.

AU-11

Examine audit and accountability policy, procedures addressing audit record retention, security plan, or other relevant documents for the retention period for audit records. The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements.

Examine organization’s records retention policy for the records retention period and for evidence that this period is consistent with the retention period for audit records.

Examine audit and accountability policy, procedures addressing audit record retention, security plan, or other relevant documents for the mechanisms and their configuration settings to be employed to retain audit records in accordance with the required frequency.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine information system audit records for a sample of audit logs retained for the information system for evidence that the mechanisms and configurations are being applied.

Interview a sample of organizational personnel responsible for audit record retention for evidence that information system audit records are retained in accordance with the required time period to support after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

AU-12

Examine procedures addressing audit record generation, security plan, information system design documentation, or other relevant documents for the information system components that provide audit record generation capability for the list of auditable events for all organization-defined information system components.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed within the information system components to generate audit records for the list of auditable events.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

Examine audit and accountability policy, procedures addressing audit record generation, security plan, or other relevant documents for the organizational personnel (by name or role) designated to select which events are to be audited by the information system components.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to permit the organizational personnel to select the events to be audited by the information system.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel for evidence that the mechanisms and configurations are being applied.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine a sample of information system audit records generated from a sample of the information system components for evidence that the mechanisms and configurations are being applied.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

Security Assessment and Authorization (CA)

CA-1

Examine information security program documentation for the organization security assessment and authorization policy and that the security assessment and authorization policy is reviewed and updated at least every three years.

Examine organization security assessment and authorization policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the security assessment and authorization policy and procedures are reviewed and updated at least annually.

Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy was disseminated to the organizational elements.

Examine information security program documentation for the organization security assessment and authorization procedures.

Examine organization security assessment and authorization procedures for evidence that the procedures facilitate implementation of the security assessment and authorization policy and associated security assessment and authorization controls.

Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy is reviewed and updated at least every three years, and the procedures at least annually.

CA-2

Examine information system documentation for a security assessment plan for the information system. Examine the security assessment plan for a description of the scope of the assessment including security controls and control enhancements under assessment; assessment procedures to be used to determine security control effectiveness; and assessment environment, assessment team, and assessment roles and responsibilities.

Examine security assessment and authorization policy, procedures addressing security assessments, security plan, or other relevant documents for the frequency of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Examine a sample of security assessment reports for evidence that security controls in the information system are assessed in accordance with the required frequency.

Examine a sample of security assessment reports for evidence that the results of the security control assessments are documented.

Examine a sample of security assessment reports for evidence that the results of the security control assessments have been provided, in writing, to the organization-defined personnel or roles.

Interview organization-defined personnel or roles for the information system for further evidence that the results of security control assessments are provided in writing.

CA-2 (1)

Examine security assessment and authorization policy, security assessment plan, security plan, or other relevant documents for authorizing official determination and/or approval of the organization-defined independence criteria for the assessors or assessment team that assesses the security controls in the information system.

Examine a sample of security assessment reports or other relevant documents for evidence that the assessors meet the criteria for independence.

CA-2 (2)

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, or other relevant documents reviewing for the forms of security testing to be included in planning, scheduling, and security control assessments selecting from in-depth monitoring, malicious user testing, penetration testing, red team exercises, or an organization-defined form of security testing to ensure compliance with all vulnerability mitigation procedures; the frequency for conducting each form of security testing; and whether the security testing will be announced or unannounced.

Examine a sample of security assessment reports, continuous monitoring assessment reports, or other relevant documents; for evidence that assessments are planned, scheduled, and conducted in accordance with the identified assessment techniques.

CA-2 (3)

Examine security assessment report, plan of action and milestones, security assessment requirements, security assessment plan, security assessment evidence, or other relevant documents or records for evidence of organizational acceptance of the results of an assessment of organization-defined information system performed by organization-defined external organization when the assessment meets organization-defined requirements.

Interview a sample of organization personnel with security assessment acceptance responsibilities for evidence of organizational acceptance of the results of an assessment of organization-defined information system performed by organization-defined external organization when the assessment meets organization-defined requirements.

CA-3

Examine security plan, information system design documentation, or other relevant documents for evidence that connections to other information systems are identified. Interview a sample of organizational personnel responsible for developing, implementing, or approving information system interconnection agreements for evidence that connections to other information systems have been identified.

Examine information system interconnection agreements for a sample of connections for evidence that the organization authorizes all identified connections from the information system to other information systems through the use of interconnection security agreements.

Examine information system interconnection agreements for a sample of connections for evidence that the interface characteristics, security requirements, and nature of the information communicated is documented for each connection.

Examine procedures addressing information system connections, system and communications protection policy, a sample of information system interconnection security agreements, or other relevant documents for the organization-defined frequency of reviews and updates to Interconnection Security Agreements.

CA-2 (2)

CA-2 (3)

Examine security assessment report, plan of action and milestones, security assessment requirements, security assessment plan, security assessment evidence, or other relevant documents or records evidence of organizational acceptance of the results of an assessment of organization-defined information system performed by organization-defined external organization when the assessment meets organization-defined requirements.

Interview organization personnel with security assessment acceptance responsibilities for evidence of organizational acceptance of the results of an assessment of organization-defined information system performed by organization-defined external organization when the assessment meets organization-defined requirements.

CA-3 (3)

Examine system and communications protection policy, as well as applicable documentation, agreements, procedures, and configurations settings for evidence of the connection of an unclassified, non-national security system to an external network without the use of approved boundary protection device.

Examine procedures addressing information system connections,, as well as applicable documentation, agreements, policy, and configurations settings for evidence that a boundary protection device has be used to connect an unclassified, non-national security system to an external network.

Examine procedures addressing information system connections, as well as applicable documentation, agreements, procedures, policy and configuration settings for evidence that the organization prohibits the direct connection of an unclassified, non-national security system to an external network without the use of a boundary protection device.

CA-3 (5)

Examine procedures addressing information system connections, information system interconnection agreements, security plan, information system design documentation, or other relevant documents evidence that connections between the information system and external information systems are identified.

Examine procedures addressing information system connections, information system interconnection agreements, security plan, information system design documentation, or other relevant documents evidence the each connection is identified as either allow-all, deny-by-exception, deny-all, or permit-by-exception.

CA-5

Examine information system documentation for a plan of action and milestones for the information system.

Examine a sample of controls in the security assessment report and the associated plan of action and milestones for evidence that the plan of action and milestones documents the planned remedial actions to correct deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

Examine security assessment and authorization policy, procedures addressing plan of action and milestones, security plan, or other relevant documents for the frequency for updating the plan of action and milestones. [at least quarterly]

Examine security assessment and authorization policy, procedures addressing plan of action and milestones, security plan, or other relevant documents for the required frequency for updating the plan of action and milestones with findings from security controls assessments, security impact analyses, and continuous monitoring activities.

Examine a sample of findings in the security assessment report and the associated plan of action and milestones for evidence that the plan of action and milestones is updated in accordance with the required frequency.

Examine a sample of findings from security impact analyses and the associated plan of action and milestones for evidence that the plan of action and milestones is updated in accordance with the required frequency.

Examine a sample of findings from continuous monitoring activities and the associated plan of action and milestones for evidence that the plan of action and milestones is updated in accordance with the required frequency.

CA-6

Examine security assessment and authorization policy, security plan, or other relevant documents for the senior-level executive or manager assigned to the role of authorizing official for the information system.

Examine a sample of security authorization packages for evidence that the authorizing official authorizes the information system for processing prior to commencing operations.

Examine security assessment and authorization policy, security plan, or other relevant documents for the frequency for security authorization updates.

Examine a sample of security authorization packages for evidence that security authorizations are updated in accordance with the required frequency.

CA-7

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, organizational risk management strategy documentation, security plan, or other relevant documents for the development of a continuous monitoring strategy and implementation of a continuous monitoring program.

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, or other relevant documents for the measures to be employed to implement a continuous monitoring program that includes: establishment of organization-defined metrics to be monitored; establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring; ongoing security control assessments in accordance with the organizational continuous monitoring strategy; ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; correlation and analysis of security-related information generated by assessments and monitoring; response actions to address results of the analysis of security-related information; and reporting the security status of organization and the information system to organization-defined personnel or roles on organization-defined frequency.

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, or other relevant documents for the establishment of organization-defined metrics to be monitored, the establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring.

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, or other relevant documents for evidence of on-going security control assessments and correlation and analysis of security related information generated by assessments and monitoring.

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, or other relevant documents for evidence of actions to address results of the analysis of security related information.

Examine a sample of continuous monitoring status reports or other relevant documents provided to officials for evidence that the measures are being applied to include reporting the security state of the information system to appropriate organizational officials in accordance with the required frequency.

Interview a sample of organizational personnel with responsibilities for continuous monitoring for further evidence that the measures are being applied.

CA-7 (1)

Examine the security assessment and authorization policy, security assessment plan, continuous monitoring plan, security plan, or other relevant documents for the authorizing official determination and/or approval of the independence criteria for the assessor or assessment team that monitors the security controls on an ongoing basis.

Examine a sample of security assessment reports, continuous monitoring assessment reports, or other relevant documents for evidence that the assessors meet the criteria for independence.

Interview a sample of organizational personnel with continuous monitoring responsibilities for further evidence that the organization employs an independent assessor or assessment team to conduct the security control assessments for continuous monitoring.

CA-8

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, results of penetration tests, or other relevant documents for evidence that penetration testing has been conducted on an organization defined frequency on organization-defined information systems or system components.

Interview personnel with responsibility for penetration testing for evidence that testing is being performed in accordance with policy and guidance, and that the results of penetration tests are appropriately remediated.

CA-8 (1)

Examine security assessment and authorization policy, procedures addressing continuous monitoring of security controls, security plan, results of penetration tests, or other relevant documents for evidence that penetration testing has been conducted by an independent penetration agent or penetration team on the information system or system components.

Interview personnel with responsibility for penetration testing for evidence that the penetration agent or penetration team has an appropriate degree of independence.

CA-9

Examine procedures addressing information system connections, information system design documentation, information system configuration settings and associated documentation, list of components or classes of components authorized as internal system connections, other relevant documents or records evidence that system components or classes of components are defined as authorized internal connections to the information system.

Examine assessment and authorization policy, procedures addressing information system connections, or other relevant documents or records evidence of guidance to organization staff that conduct authorizations of internal connections from information system components to the information system.

Interview a sample of organizational personnel responsible for authorizing internal connections for evidence that procedures addressing information system connections are followed.

Examine procedures addressing information system connections, information system design documentation, information system configuration settings and associated documentation, list of components or classes of components authorized as internal system connections, other relevant documents or records evidence that each internal connection to the information system has documented interface characteristics, security requirements, and information nature.

Configuration Management (CM)

CM-1

Examine configuration management documentation for the organization configuration management policy is reviewed and updated at least every three years.

Examine organization configuration management policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the configuration management policy and associated configuration management controls and that the procedures are reviewed and updated at least annually.

Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy was disseminated to the organizational elements.

Examine configuration management documentation for the organization configuration management procedures.

Examine organization configuration management procedures for evidence that the procedures facilitate implementation of the configuration management policy and associated configuration management controls.

Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy is reviewed and updated at least every three years, and the procedures at least annually.

CM-2

Examine information system architecture and configuration documentation, information system design documentation, information system build documentation, or other relevant documents associated with a sample of information system components for a current baseline configuration of the information system.

Note to assessor: Information system components defined in the configuration management plan for the information system should include the configuration items (hardware, software, firmware, and documentation) required to be configuration-managed.

Examine configuration management policy, procedures addressing the baseline configuration of the information system, configuration management plan, or other relevant documents for the measures to be employed to maintain, under configuration control, a current baseline configuration of the information system.

Examine change control records, configuration audit records, or other relevant documents associated with a sample of information system components for evidence that the measures are being applied.

Interview a sample of organizational personnel with configuration change control responsibilities for further evidence that the measures are being applied.

CM-2 (1)

Examine configuration management policy, procedures addressing the baseline configuration of the information system, configuration management plan, or other relevant documents for the measures to be employed to review and update the baseline configuration of the information system in accordance with the required frequency, when required due to circumstances defined by the control, and as an integral part of information system component installations and upgrades.

Examine a sample of records of baseline configuration reviews and updates for the information system for evidence that the baseline configuration is reviewed and updated in accordance with the required frequency.

Examine a sample of records of baseline configuration reviews and updates for the information system for evidence that the baseline configuration is reviewed and updated due to circumstance defined by the control.

Examine a sample of records of baseline configuration reviews and updates associated with component installations or upgrades for the information system for evidence that the measures are being applied to review and update the baseline configuration as an integral part of information system component installations and upgrades.

Interview a sample of organizational personnel with configuration change control responsibilities for further evidence that the measures are being applied to review and update the baseline configuration of the information system.

Examine the configuration management or change management procedures or other relevant documents indication that the organization reviews and updates the baseline configuration of the information system when required resulting from a significant change as defined in the current version of NIST 800-37:

Continuous Monitoring Phase consists of three tasks:

1. Configuration management and control;

2. Security control monitoring; and

3. Status reporting and documentation.

The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system.

CM-2 (2)

Examine Configuration Management policy, configuration management plan and procedures, addressing the baseline configuration of the information system, information system design documentation, information system architecture and configurations documentation and other relevant documents for evidence that the information system uses mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

CM-2 (3)

Examine a sample of historical copies of baseline configurations for evidence that older versions of baseline configurations are retained as required.

CM-2 (7)

Examine configuration management policy, procedures addressing configuration management for portable and mobile devices, security plan, or other relevant documents for a list of locations (or criteria for defining locations) that are deemed to be of significant risk.

Examine configuration management policy, procedures addressing configuration management for portable and mobile devices, security plan, or other relevant documents for the measures to be employed to issue specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk.

Examine mobile devices issued to a sample of individuals traveling to locations that the organization deems to be of significant risk for evidence that identified measures are being applied.

Examine configuration management policy, procedures addressing configuration management for portable and mobile devices, security plan, or other relevant documents for the inspection and preventative measures to be applied to mobile devices returning from identified locations.

Test a sample of mobile devices returning from identified locations for evidence that the identified measures are being applied.

Interview a sample of organizational personnel responsible for inspecting mobile devices for further evidence that the identified measures are being applied.

CM-3

Examine configuration management policy, procedures addressing information system configuration change control, configuration management plan, or other relevant documents for the measures to be employed to approve configuration-controlled changes to the system with explicit consideration for security impact analyses. Examine change control records for a sample of changes identified in the change audit summary report or other relevant documents for the information system for evidence that the measures are being applied. Interview a sample of organizational personnel responsible for security impact analysis and approval of proposed changes to the information system for further evidence that the measures are being applied. Examine configuration management policy, procedures addressing information system configuration change control, configuration management plan, or other relevant documents for the measures to be employed to document approved configuration-controlled changes to the system.

Examine approved configuration control changes and other records for evidence that the changes have been implemented.

Examine change control records for a sample of configuration-controlled changes identified in the change audit summary report or other relevant documents for the information system for evidence that the measures are being applied. Examine configuration management policy, procedures addressing information system configuration change control, configuration management plan, or other relevant documents for the measures to be employed to retain and review records of configuration-controlled changes to the system. Examine the configuration management policy and procedures addressing system configuration change control, change control records; reviewing the records of configuration-controlled to determine if the organization retains and reviews them.

Examine change control records for a sample of configuration-controlled changes to the information system for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for retaining and reviewing records of configuration-controlled changes to the information system for further evidence that the measures are being applied.

Examine a sample of audit records associated with configuration-controlled changes to the information system for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for auditing activities and organizational personnel responsible for coordinating and providing oversight for configuration change control activities associated with the information system for further evidence that the measures are being applied.

Examine configuration management policy, procedures addressing information system configuration change control, configuration management plan, or other relevant documents for:

– The configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;

– The frequency with which the configuration change control element convenes; and/or;

– Configuration change conditions that prompt the configuration change control element to convene.

– the service provider establishing a central means of communicating major changes to or developments in the information system or environment of operations that may affect services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page) subject to approval and acceptance by the JAB.

Examine the configuration management policy and procedures ensuring the definition of system configuration change control elements (committee, board) responsible for coordinating and providing oversight for configuration change control activities; the frequency with which the configuration control elements convene, and the configuration change conditions that necessitate the elements to convene.

Examine configuration management policy, procedures addressing information system configuration change control, configuration change control board charter, configuration management plan, or other relevant documents for the measures to be employed to coordinate and provide oversight for configuration control activities through the configuration change control elements that convenes at the required frequency and/or for any conditions identified in the control.

Examine a sample of change control records, change control board meeting minutes, information system audit records, or other relevant documents for evidence that the measures are being applied.

CM-4

Examine configuration management policy, procedures addressing security impact analysis for changes to the information system, configuration management plan, or other relevant documents for the measures to be employed to analyze changes to the information system to determine potential security impacts prior to change implementation.

Examine security impact analysis documentation for a sample of changes identified in the configuration status accounting report, change audit summary report, or other relevant documents for the information system for evidence that the measures are being applied.

Interview a sample of organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes for further evidence that the measures are being applied.

CM-5

Examine configuration management policy, procedures addressing access restrictions for changes to the information system, configuration management plan, or other relevant documents for the physical and logical access restrictions to be associated with changes to the information system.

Note to assessor: The requirements to satisfy the CM-5 control may be fully implemented by other controls (e.g., AC-3, PE-3), partially implemented by other controls (e.g., AC-3, PE-3), or completely implemented by the CM-5 control. Therefore, assessors will need to understand and isolate these complexities to successfully adapt assessor actions when evaluating this control.

Examine configuration management policy, procedures addressing access restrictions for changes to the information system, configuration management plan, or other relevant documents for the measures to be employed to document and approve the physical and logical access restrictions.

Examine access approval records and associated documentation of access privileges for a sample of information system users for evidence that the measures are being applied to document and approve physical and logical access restrictions.

Interview a sample of organizational personnel with physical access control responsibilities and organizational personnel with logical access control responsibilities for further evidence that the measures are being applied to document and approve physical and logical access restrictions.

Examine configuration management policy, procedures addressing access restrictions for changes to the information system, configuration management plan, information system design documentation, or other relevant documents for the measures (including automated mechanisms and their configuration settings) to be employed to enforce the physical and logical access restrictions.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to enforce physical and logical access restrictions.

Examine access control records for a sample of information system users for further evidence that the measures are being applied to enforce physical and logical access restrictions.

Test a sample of the mechanisms for evidence that these mechanisms are operating to enforce physical and logical access restrictions as intended.

CM-5 (1)

Examine configuration management plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to enforce access restrictions and support auditing of enforcement actions.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the automated mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

CM-5 (3)

Examine the formally documented policies and procedures for a listing of information system prohibited software/firmware that may not be installed without verification that the component has been digitally signed.

Examine the baseline configuration settings for user operated organizational devices (e.g., laptops, desktops) and validate that the information system implements automatic mechanisms to prevent the download, instillation, and/or update of software/firmware that does not contain a digital signature.

Test that the information system validates the code and prevents the installation of organization-defined software and firmware components that are unsigned.

CM-5 (5)

Examine configuration management plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to limit information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment.

Examine documentation describing the current configuration settings for a sample of automated mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

Examine configuration management policy, procedures addressing access restrictions for changes to the information system, configuration management plan, or other relevant documents for the frequency of reviewing and reevaluating information system developer/integrator privileges at least quarterly.

Examine configuration management policy, procedures addressing access restrictions for changes to the information system, configuration management plan, or other relevant documents for the measures to be employed to review and reevaluate information system developer/integrator privileges in accordance with the required frequency.

Examine a sample of reviews and reevaluations of information system developer/integrator privileges for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for reviewing and reevaluating information system developer/integrator privileges for further evidence that the measures are being applied.

CM-6

Examine information system architecture documentation, information system design documentation, information system build documentation, or other relevant documents for the information technology products employed within the information system.

Examine configuration management policy, procedures addressing configuration settings for the information system, configuration management plan, or other relevant documents for the security configuration checklists to be used to establish and document mandatory configuration settings for a sample of information technology products.

The service provider ensures that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

Examine configuration management policy, procedures addressing configuration settings for the information system, configuration management plan, or other relevant documents for the requirement that security configuration checklists are to reflect the most restrictive mode consistent with operational requirements.

Interview a sample of organizational personnel responsible for establishing and documenting mandatory configuration settings for the information technology products for evidence that the security configuration checklists reflect the most restrictive mode consistent with operational requirements.

Examine security configuration checklists for a sample of information technology products employed within the information system for the mandatory configuration settings to be employed.

Examine a sample of security configuration settings implemented for the information technology products for evidence that the information system is configured in accordance with the mandatory configuration settings which are based on the Center for Internet Security (CIS) guidelines (level 1) or established by the organization and approved by the JAB if UCSBG is not available.

Examine configuration management policy, procedures addressing configuration settings for the information system, configuration management plan, or other relevant documents for the measures to be employed to identify, document, and approve deviations from the mandatory configurations settings for individual components within the information system based on explicit operational requirements.

The service provider uses the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. Configuration settings are approved and accepted by the JAB.

Examine documentation approvals for a sample of deviations from the mandatory configurations settings for a sample of information system components for evidence that the measures are being applied.

Examine a sample of monitoring records and change control records associated with changes to the configuration settings for the information system for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for monitoring and controlling changes to information system configuration settings for further evidence that the measures are being applied.

CM-6 (1)

Examine configuration management plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings of organizational defined components employed to centrally manage, apply and verify configuration settings of components required to be under configuration management.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

CM-7

Prohibited or restricted ports, protocols, or services as per NIST, Center for Internet Security guidelines (Level 1), or service provider recommendation if USGCB is not available to be approved and accepted by the JAB.

Examine a sample of the information system configuration settings for evidence that the information system is configured as intended.

Test a sample of information system components for evidence that the information system is configured to provide only essential capabilities.

Examine configuration management plan, information system design documentation, or other relevant documents for the configurations to be employed in the information system to prohibit or restrict the use of functions identified in the control, ports identified in the control, protocols identified in the control; and/or services identified in the control.

Examine a sample of the information system configuration settings for evidence that the information system is configured as required to restrict the use of prohibited or restricted functions, ports, protocols, and services.

Test a sample of information system components; conducting testing for evidence that the information system is configured to prohibit or restrict the functions, ports, protocols and services as defined by the control.

CM-7 (1)

Examine configuration management policy, procedures addressing configuration settings for the information system, configuration management plan, or other relevant documents for the frequency of conducting information system reviews to identify and eliminate unnecessary functions, ports, protocols; and/or services.

Examine configuration management policy, procedures addressing configuration settings for the information system, configuration management plan, or other relevant documents for the measures to be employed to review the information system in accordance with the required frequency identified, to identify and eliminate unnecessary functions, ports, protocols; and/or services.

Examine a sample of information system reviews for evidence that the measures are being applied.

Interview a sample of organization personnel with responsibilities for identifying and eliminating unnecessary functions, ports, protocols, and services on the information system for further evidence that information system reviews are performed in accordance with the measures.

CM-7 (2)

Examine the information system’s formally documented list of restricted and authorized software programs.

Examine the information system configuration settings for restricted software programs.

Test that the information system prevents the installation of an unsigned restricted component.

Test that the information system prevents the installation of organization-defined software and firmware components that are signed by a revoked certificate.

CM-7 (5)

Examine the documented list of software programs that are authorized to execute to ensure that list is defined.

Examine the information system configuration settings to ensure that it is configured to deny-all and only permit by exception the execution of authorized software programs on the information system.

Examine the system documentation and audit to ensure that the organization reviews and updates the list of authorized software programs at least annually or when there is a change.

Interview a sample of organization personnel responsible for implementing the configuration settings for allowing only authorized software to run in the information system to ensure that the system is configured to deny-all and only permit by exception the execution of authorized software programs on the information system.

Interview a sample of organization personnel responsible for reviewing and updating the list of authorized software programs to ensure it is reviewed and updated at least annually or when there is a change.

CM-8

Examine configuration management policy, procedures addressing information system component inventory, configuration management plan, or other relevant documents for the measures to be employed to develop, document, and maintain an inventory of the information system components that accurately reflects the current information system, is consistent with the authorization boundary of the information system, establishes the level of granularity deemed necessary by the organization for tracking and reporting, includes the information deemed necessary to achieve effective property accountability, and is available for review and audit by designated organizational officials.

Examine a sample of information system change records and associated information system inventory records for evidence that the measures are being applied to accurately reflect the information system.

Examine information system inventory records for a sample of information system components associated with the authorization boundary of the information system for evidence that the measures are being applied.

Examine information system inventory records for a sample of information system components for the required level of granularity.

Examine configuration management policy, procedures addressing information system component inventory, configuration management plan, or other relevant documents for the information deemed necessary to achieve effective system component accountability. [Organization defined provider defined information deemed necessary to ensure system component accountability list may include hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name and network address].

Interview a sample of organizational officials responsible for reviewing and auditing the inventory of information system components for evidence that the measures are being applied.

CM-8 (1)

Examine configuration management policy, procedures addressing information system component inventory, configuration management plan, or other relevant documents for the measures to be employed to update the inventory of information system components as an integral part of component installations, component removals, and and-information system updates.

Examine a sample of component installation records, component removal records, and information system updates, and associated information system inventory records for evidence that the measures are being applied.

Interview a sample of organizational personnel with information system inventory responsibilities for further evidence that the measures are being applied.

CM-8 (3)

Examine configuration management policy, procedures addressing information system component inventory, configuration management plan, or other relevant documents for the frequency of employing mechanisms to detect the addition of unauthorized hardware, software or firmware components into the information system. [Mechanisms are employed continuously with a maximum five-minute delay in detection].

Examine configuration management plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed, in accordance with the required frequency, to detect the addition of unauthorized hardware, software or firmware components into the information system.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

Examine configuration management policy, procedures addressing information system component inventory, configuration management plan, information system design documentation, or other relevant documents for the measures (including mechanisms and their configuration settings) to be employed to take organizationally defined actions.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel responsible for detecting and reporting unauthorized hardware, software or firmware components on the information system; conducting discussions for further evidence that the measures are being applied.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

CM-8 (5)

Examine configuration management policy; procedures address information system component inventory, configuration management plan, or other relevant documents for the measures to be employed to verify that all components within the authorization boundary of the information system are not duplicated in other information system inventories.

Examine information system inventory records and associated verification documentation for a sample of components within the authorization boundary of the information system for evidence that the measures are being applied. Interview a sample of organizational personnel with information system inventory responsibilities for further evidence that the measures are being applied.

CM-9

Examine information system documentation for a configuration management plan for the information system.

Examine configuration management plan for evidence that the plan addresses roles, responsibilities, and configuration management processes and procedures; establishes a process for identifying configuration items, defines configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.

Examine information system documentation to ensure the organization protects the configuration management plan from unauthorized disclosure or modification.

Interview a sample of organizational personnel responsible for configuration management plan development, documentation, and implementation for evidence that the plan is developed, documented, and implemented.

CM-10

Examine system and services acquisition policy, procedures addressing software usage restrictions, site license documentation, software usage restrictions, security plan, or other relevant documents for the measures to be employed to use software and associated documentation in accordance with contract agreements and copyright laws.

Examine a sample of information system audit records, configuration change control records, information system monitoring records, or other relevant records for evidence that the measures are being applied.

Interview a sample of organizational personnel with information system administration responsibilities and/or organizational personnel operating, using, and/or maintaining the information system for further evidence that the measures are being applied.

Examine system and services acquisition policy, procedures addressing software usage restrictions, security plan, or other relevant documents for the tracking systems to be employed to control copying and distribution of software and associated documentation protected by quantity licenses.

Interview a sample of organizational personnel operating, using, and/or maintaining the information system for further evidence that the tracking systems are being applied.

Examine system and services acquisition policy, procedures addressing software usage restrictions, security plan, or other relevant documents for the measures to be employed to control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Examine a sample of information system audit records, configuration change control records, information system monitoring records, or other relevant records associated with the use of peer-to-peer file sharing technology for evidence that the measures are being applied.

CM-10 (1)

Examine systems and services acquisition policy, configuration management policy, procedures addressing restrictions on use of open source software to determine that any organization-defined restrictions are clearly documented.

Interview organizational personnel with responsibility for establishing and enforcing restrictions on use of open source software to determine that they adhere to the policies and organization-defined restrictions.

CM-11

Examine system and services acquisition policy, procedures addressing user installed software, security plan, or other relevant documents for the explicit rules governing the installation of software by users.

Examine system and services acquisition policy, procedures addressing user installed software, security plan, information system design documentation, or other relevant documents for the measures (including mechanisms and their configuration setting) to be employed to enforce the rules.

Examine the software installation rules and audit records to ensure that policy is being reviewed based on an organization-defined frequency. [Continuously]

Interview a sample of organizational personnel with information system administration responsibilities or organizational personnel operating, using, and/or maintaining the information system for further evidence that the measures are being applied.

Test a sample of the mechanisms and their configuration settings; conducting testing using simulated events or conditions for evidence that these mechanisms are operating as intended.

Contingency Planning (CP)

CP-1

Examine information security program documentation for the organization contingency planning policy and that the contingency planning policy is reviewed and updated at least every three years.

Examine organization contingency planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the contingency planning policy and procedures are reviewed and updated at least annually.

Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy was disseminated to the organizational elements.

Examine information security program documentation for the organization contingency planning procedures.

Examine organization contingency planning procedures for evidence that the procedures facilitate implementation of the contingency planning policy and associated contingency planning controls.

Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy is reviewed and updated at least every three years, and the procedures at least annually.

CP-2

Examine information system documentation for a contingency plan for the information system.

Examine contingency plan for evidence that the plan identifies essential missions and business functions and associated contingency requirements; provides recovery objectives, restoration priorities, and metrics; addresses contingency roles, responsibilities, assigned individuals with contact information; addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; and addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and is reviewed and approved by organization-defined personnel or roles.

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan. The contingency list includes designated FedRAMP personnel for JAB authorizations.

Interview a sample of organizational personnel and organizational elements for evidence that these individuals received copies of the contingency plan.

Examine contingency planning policy, incident response policy, procedures addressing contingency operations, procedures addressing incident handling, contingency plan, incident response plan, or other relevant documents for the measures to be employed to coordinate contingency planning activities with incident handling activities.

Examine a sample of meeting minutes, meeting agendas, status reports, or other relevant documents associated with coordinating contingency planning and incident handling activities for evidence that the measures are being applied.

Interview a sample of organizational personnel with contingency planning responsibilities and organizational personnel with incident handling responsibilities; conducting discussions for further evidence that the measures are being applied to coordinate contingency planning activities with incident handling activities.

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the frequency of contingency plan reviews. [at least annually].

Examine contingency plan and other relevant documents resulting from contingency plan reviews for evidence that the plan is reviewed in accordance with the required frequency.

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the measures to be employed to revise the contingency plan to address changes to the organization, information system, or environment of operation and any problems encountered during contingency plan implementation, execution, or testing.

Note to assessor: Change control records addressing contingency plan revisions may be maintained in the contingency plan, or maintained in change management software or document management software used by the organization.

Examine contingency plan and a sample of change control records addressing contingency plan revisions from problems encountered during contingency plan implementation, execution, or testing for evidence that the measures are being applied.

Interview a sample of organizational personnel and organizational elements for further evidence that contingency plan changes are communicated to key contingency personnel and organizational elements. The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. The contingency list includes designated FedRAMP personnel for JAB authorizations.

Interview a sample of organization personnel and organizational elements with responsibility for contingency planning for evidence that the contingency plan is protected from unauthorized disclosure or modification.

CP-2 (1)

Interview a sample of organizational personnel with contingency planning responsibilities and organizational personnel with incident handling responsibilities for further evidence that the measures are being applied to coordinate contingency planning activities with incident handling activities.

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the frequency of contingency plan reviews at least annually.

Examine contingency plan and other relevant documents resulting from contingency plan reviews for evidence that the plan is reviewed in accordance with the required frequency.

Examine contingency plan and a sample of change control records addressing contingency plan revisions from changes to the organization, information system, or environment of operation for evidence that the measures are being applied. Note to assessor: Change control records addressing contingency plan revisions may be maintained in the contingency plan, or maintained in change management software or document management software used by the organization.

Examine the contingency plan covering the information system; verify it is reviewed at least annually.

CP-2 (2)

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the measures to be employed to coordinate contingency plan development with other organizational elements responsible for related plans.

Examine a sample of meeting minutes, meeting agendas, status reports, or other relevant documents associated with coordinating contingency plan development with related plans for evidence that the measures are being applied.

Interview a sample of organizational personnel with contingency plan development responsibilities and organizational personnel with responsibilities in related plan areas for further evidence that the measures are being applied to coordinate contingency plan development with other organizational elements responsible for related plans.

CP-2 (3)

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the time period for planning the resumption of essential missions and business functions as a result of contingency plan activation.

Examine contingency planning policy, procedures addressing contingency operations, contingency plan, or other relevant documents for the measures to be employed to plan for the resumption of essential missions and business functions upon contingency plan activation within the time period.

Interview a sample of organizational personnel with contingency plan development and implementation responsibilities; conducting [basic] discussions for further evidence that the measures identified are being applied.

CP-2 (8)

Examine contingency planning policy and procedures addressing contingency operations, contingency plan, or other relevant documents for organization identified critical information system assets supporting essential missions and business functions.

Interview a sample of organizational personnel with contingency plan development and implementation responsibilities for further evidence inventory of critical information system assets are identified, monitored, and updated for accuracy.

CP-3

Examine contingency planning policy, procedures addressing contingency training, contingency plan, or other relevant documents for evidence that the organization provides contingency training to information system users consistent with assigned roles and responsibilities.

Examine contingency planning policy, procedures addressing contingency training, contingency plan, or other relevant documents for evidence that initial contingency training is provided within 10 days of assuming a contingency role or responsibility.

Examine training records for a sample of organizational personnel with contingency roles and responsibilities with respect to the information system for evidence that the measures are being applied.

Interview a sample of organizational personnel for further evidence that the measures are being applied.

Examine training records for a sample of organizational personnel with contingency roles and responsibilities with respect to the information system for evidence that refresher training is being conducted in accordance with the required frequency.

CP-4

Examine contingency planning policy, procedures addressing contingency plan testing, contingency plan, or other relevant documents for the contingency plan tests to be conducted for the information system. The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the JAB.

Examine contingency planning policy, procedures addressing contingency plan testing, contingency plan, or other relevant documents for the frequency of contingency plan tests. [at least annually for moderate system].

Examine a sample of contingency plan tests conducted for the information system for evidence that the organization tests the contingency plan using organization-defined tests, in accordance with the required frequency, to determine the plan’s effectiveness and the organization’s readiness to execute the plan.

Examine contingency planning policy, procedures addressing contingency plan tests, contingency plan, or other relevant documents for the measures to be employed to review the contingency plan test/exercise results and to initiate any corrective actions needed to improve the plan’s effectiveness and the organization’s readiness to execute the plan.

Examine review documentation for a sample of contingency plan test results for evidence that the measures are being applied to review contingency plan test results and any corrective actions needed.

Examine corrective action plan or other relevant documents associated with a sample of corrective actions for evidence that the measures are being applied to initiate corrective actions.

Interview a sample of organizational personnel with responsibility for reviewing or responding to contingency plan test results for further evidence that the measures are being applied.

CP-4 (1)

Examine contingency planning policy, procedures addressing contingency plan testing/exercises, contingency plan, or other relevant documents for the measures to be employed to coordinate contingency plan testing/exercises with organizational elements responsible for related plans.

Examine a sample of meeting minutes, meeting agendas, status reports, or other relevant documents associated with coordinating contingency plan testing/exercises with related plans for evidence that the measures are being applied.

Interview a sample of organizational personnel with contingency plan testing responsibilities and organizational personnel with responsibilities in related plan areas for further evidence that the measures are being applied to coordinate contingency plan testing/exercises with organizational elements responsible for related plans.

CP-6

Examine procedures addressing alternate storage sites, contingency plan, or other relevant documents for an established alternate storage site.

Examine a sample of alternate storage site agreements for the alternate storage site for evidence that these agreements permit storage and retrieval of information system backup information.

Examine procedures addressing alternate storage sites, contingency plan, or other relevant documents for evidence that the alternate storage site provides the information security safeguards equivalent to that of the primary site.

CP-6 (1)

Examine contingency plan for the primary storage site hazards.

Examine contingency plan, risk assessment for the alternate storage site, or other relevant documents for evidence that the alternate storage site is separated from the primary storage site so as not to be susceptible to the hazards identified in the control.

CP-6 (3)

Examine procedures addressing alternate storage sites, contingency plan, or other relevant documents for potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

Examine procedures addressing alternate storage sites, contingency plan, or other relevant documents for explicit mitigation actions for potential accessibility problems to the alternate storage site.

CP-7

Examine procedures addressing alternate processing sites, contingency plan, or other relevant documents for an established alternate processing site.

Examine contingency planning policy, procedures addressing alternate processing sites, contingency plan, or other relevant documents for the organization-defined time period(s) within which processing must be resumed at the alternate processing site to achieve recovery time objectives for organization-defined information system operations for essential mission/business functions when primary processing capabilities are unavailable. Note to assessor: The organization may define different time periods for different mission/business functions.

Examine a sample of alternate processing site agreements for the alternate processing site for evidence that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.

Examine procedures addressing alternate processing sites, contingency plan, or other relevant documents for evidence that the alternate processing site provides the information security safeguards equivalent to that of the primary site.

CP-7 (1)

Examine contingency plan for the primary processing site hazards.

Examine contingency plan, risk assessment for the alternate processing site, or other relevant documents for evidence that the alternate processing site is separated from the primary processing site so as not to be susceptible to the hazards.

CP-7 (2)

Examine procedures addressing alternate processing sites, contingency plan, or other relevant documents for potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

Examine procedures addressing alternate processing sites, contingency plan, or other relevant documents for explicit mitigation actions for potential accessibility problems to the alternate processing site.

CP-7 (3)

Examine contingency planning policy, procedures addressing alternate processing sites, contingency plan, business impact assessment, or other relevant documents for the organization’s availability requirements.

Examine procedures addressing alternate processing sites, contingency plan, or other relevant documents for the alternate processing site agreements that contain priority-of-service provisions in accordance with the availability requirements.

Examine a sample of alternate processing site agreements for evidence that these agreements contain priority-of-service provisions in accordance with the availability requirements.

CP-8

Examine procedures addressing alternate telecommunications services, contingency plan, or other relevant documents for alternate telecommunications services established to support the information system when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. Examine contingency planning policy, procedures addressing alternate telecommunications services, contingency plan, or other relevant documents for the list of organization-defined information system operations for essential missions and business functions to be restored.

Examine contingency planning policy, procedures addressing alternate telecommunications services, contingency plan, or other relevant documents for the time period(s) within which resumption of information system operations must take place.

Examine a sample of alternate telecommunications service agreements for evidence that these agreements permit the resumption of telecommunications services for essential missions and business functions within the time period(s) and in accordance with the Business Impact Analysis (BIA) to be approved and accepted by JAB when the primary or alternate telecommunications capabilities are unavailable.

CP-8 (1)

Examine contingency planning policy, procedures addressing primary and alternate telecommunications services, contingency plan, business impact assessment, or other relevant documents for the organizational availability requirements.

Examine procedures addressing primary and alternate telecommunications services, contingency plan, or other relevant documents for the primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the availability requirements.

Examine a sample of primary and alternate telecommunications service agreements for evidence that these agreements contain priority-of-service provisions in accordance with the availability requirements.

Examine procedures addressing primary and alternate telecommunications services, contingency plan, or other relevant documents for the telecommunications services used for national security emergency preparedness.

Examine primary and alternate telecommunications service agreements for the telecommunications services for evidence of common carriers.

Examine primary and alternate telecommunications service agreements for evidence that the organization requests Telecommunications Service Priority (TSP) for the telecommunications services.

CP-8 (2)

Interview primary and alternate telecommunications service providers and a sample of organizational personnel responsible for obtaining primary and alternate telecommunications services; conducting discussions for evidence that alternate telecommunications services are obtained with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.

CP-9

Examine contingency planning policy, procedures addressing information system backup, contingency plan, or other relevant documents for the frequency of conducting user-level information backups to support the recovery time objectives and recovery point objectives. [At least a daily incremental; weekly full].

Examine contingency planning policy, procedures addressing information system backup, contingency plan, or other relevant documents for the frequency of conducting system-level information backups to support the recovery time objectives and recovery point objectives.

Examine contingency planning policy, procedures addressing information system backup, contingency plan, or other relevant documents for the frequency of conducting information system documentation backups (including security-related information) to support the recovery time objectives and recovery point objectives. [At least daily incremental; weekly full].

Examine a sample of records of information system backups for evidence that user-level information is backed up in accordance with the required frequency. [At least daily incremental; weekly full].

Examine a sample of records of information system backups for evidence that system-level information is backed up in accordance with the required frequency. [At least daily incremental; weekly full].

Examine a sample of records of information system backups for evidence that information system documentation (including security-related information) is backed up in accordance with the required frequency. [At least daily incremental; weekly full].

CP-9 (1)

Examine a sample of backup test results for evidence that backup testing is being performed in accordance with the required frequency.

Examine a sample of backup test results for evidence that backup testing verifies the reliability of the backup media and the integrity of the information.

CP-9 (3)

Examine procedures addressing information system backup, contingency plan, or relevant documents for evidence that backup copies of organization-defined critical information system software and other security-related information are stored in a separate facility or in a fire-rated container that is not collocated with the operational system.

Examine backup storage location(s); observing for evidence that organization-defined critical information system software and other security-related information are stored in a separate facility or in a fire-rated container that is not collocated with the operational system.

Interview a sample of organizational personnel with responsibilities for contingency planning and plan implementation responsibilities; organizational personnel with information system backup responsibilities for further evidence that the measures are being applied.

CP-10

Examine procedures addressing information system recovery and reconstitution, contingency plan, information system design documentation, or other relevant documents for the manual procedures and/or the automated mechanisms and their configuration settings to be employed for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured.

Test a sample of the automated mechanisms and/or manual procedures for evidence that these mechanisms and/or manual procedures are operating as intended.

CP-10 (2)

Examine contingency planning policy, procedures addressing information system recovery and reconstitution, contingency plan, information system design documentation, or other relevant documents for the system components that are transaction-based and the measures (including automated mechanisms and their configuration settings) to be employed for transaction recovery of these system components.

Note to assessor: The control and corresponding assessor actions are applicable to the extent that the information system is transaction-based.

Examine documentation describing the current configuration settings for a sample of mechanisms for evidence that these mechanisms are configured as required.

Examine contingency plan test results, transaction recovery records, or other relevant documents for a sample of system components that are transaction-based for evidence that the measures are being applied.

Identification and Authentication (IA)

IA-1

Examine information security program documentation for the organization identification and authentication policy and that the identification and authentication policy is reviewed and updated at least every three years.

Examine organization identification and authentication policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the identification and authentication policy and procedures are reviewed and updated at least annually.

Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy was disseminated to the organizational elements.

Examine information security program documentation for the organization identification and authentication procedures.

Examine organization identification and authentication procedures for evidence that the procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls.

Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy is reviewed and updated at least every three years, and the procedures at least annually.

IA-2

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

IA-2 (1)

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to enforce multifactor authentication for network access to privileged accounts.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the automated mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

IA-2 (2)

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to enforce multifactor authentication for network access to non-privileged accounts.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

IA-2 (3)

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to enforce multifactor authentication for local access to privileged accounts.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

IA-2 (5)

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the automated mechanisms and their configuration settings to be employed for individuals to be authenticated with an individual authenticator when a group authenticator is employed.

Examine documentation describing the current configuration settings for a sample of the automated mechanisms implementing identification and authentication capability for the information system are configured as required.

Examine information system audit records or other relevant records for a sample of information system users for evidence that the measures are being applied.

Test a sample of the automated mechanisms implementing identification and authentication capability for the information system; conducting testing for evidence that these mechanisms are operating as intended.

IA-2 (8)

Examine security plan, information system design documentation, or other relevant documents for the replay-resistant authentication mechanisms to be used for network access to privileged accounts.

Examine security plan, information system design documentation, or other relevant documents for the configuration settings to be employed for the replay-resistant authentication mechanisms.

Examine documentation describing the current configuration settings for a sample of the replay-resistant authentication mechanisms identified for evidence that these mechanisms are configured as required.

Test a sample of the replay-resistant authentication mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended.

IA-2 (11)

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the automated mechanisms and their configuration settings to be employed for multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged and non-privileged accounts.

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the automated mechanisms and their configuration settings to be employed for multifactor authentication for network access to privileged and non-privileged accounts such that a device, separate from the system gaining access, meets strength of mechanism requirements.

Examine information system audit records or other relevant records for a sample of information system users for evidence that the measures are being applied.

IA-2 (12)

Examine information system audit records, PIV verification records, evidence of PIV credentials, PIV credential authorizations, or other relevant records for a sample of information system users for evidence that the measures are being applied.

IA-3

Examine identification and authentication policy, procedures addressing device identification and authentication, security plan, or other relevant documents for the specific and/or types of devices for which identification and authentication is required before establishing an organization-defined connection to the information system.

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to uniquely identify and authenticate the devices before establishing an organization-defined connection to the information system.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms implementing device identification and authentication; conducting testing for evidence that these mechanisms are operating as intended.

IA-4

Examine identification and authentication policy, procedures addressing identifier management, procedures addressing account management, security plan, or other relevant documents for the time period for preventing reuse of individual, group, role or device identifiers.

Examine identification and authentication policy, procedures addressing identifier management, procedures addressing account management, security plan, or other relevant documents for the time period of inactivity after which an identifier is to be disabled. [Ninety days for user identifier]

Examine identification and authentication policy, procedures addressing identifier management, procedures addressing account management, security plan, information system design documentation, or other relevant documents for the measures (including mechanisms and their configuration settings) employed to manage information system identifiers for individuals, groups, roles or devices by receiving authorization from organization-defined personnel or roles to assign an identifier; selecting an identifier that uniquely identifies an individual, group, role or device; assigning the identifier to the intended individual, group, role or device; preventing reuse of identifiers for at least two years; and disabling the identifier after the defined time period of inactivity. The service provider defines time period of inactivity for device identifiers. The time period is approved and accepted by JAB.

Examine artifacts associated with a sample of identifiers authorization to issue an identifier from organization-defined personnel or roles.

Examine authorization approvals to assign an individual, group, role or device identifier for a sample of information system accounts for evidence that the measures are being applied to receive authorization from a designated official to assign an individual, group, role or device identifier.

Examine information system identifiers for a sample of individuals, groups, roles or devices for evidence that the measures are being applied to select an identifier that uniquely identifies an individual, group, role or device.

Examine information system identifiers for a sample of individuals, groups, roles or devices for evidence that the measures are being applied to assign an identifier to the intended individuals, groups, roles or devices.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required to prevent the reuse of identifiers for the required time period.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as to disable the identifier after the required time period.

Interview a sample of organizational personnel responsible for assigning identifiers for evidence that the measures are being applied to receive authorization from an organization-defined personnel or roles to assign an identifier.

Test a sample of the mechanisms and their configuration settings; conducting testing for further evidence that these mechanisms are operating as intended to prevent the reuse of identifiers for the required time period.

Test a sample of the mechanisms and their configuration settings; conducting testing for further evidence that these mechanisms are operating as intended to disable the identifier after the required time period.

IA-4 (4)

Examine identification and authentication policy, procedures addressing identifier management, procedures addressing account management, security plan, or other relevant documents for the characteristics to be used to identify user status. [Contractors; foreign nationals]

Examine identification and authentication policy, procedures addressing identifier management, procedures addressing account management, security plan, or other relevant documents for the measures to be employed to uniquely identify the user with the characteristics defined by the control.

Examine identifier management records, account management records, or other relevant records for a sample of information system users for evidence that the measures are being applied.

Interview a sample of organizational personnel responsible for managing user identifiers for evidence that the measures are being applied.

IA-5

Examine identification and authentication policy, procedures addressing authenticator management, security plan, or other relevant documents for the time period (by authenticator type) for changing/refreshing authenticators. [Sixty days]

Examine identification and authentication policy, procedures addressing authenticator management, security plan, information system design documentation, or other relevant documents for the measures (including mechanisms and their configuration settings) to be employed to manage information system authenticators for individuals, groups, roles or devices by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role or device receiving the authenticator; establishing initial authenticator content for authenticators defined by the organization; ensuring that authenticators have sufficient strength of mechanism for their intended use; establishing and implementing administrative procedures for initial authenticator distribution; establishing and implementing administrative procedures for lost/compromised or damaged authenticators; establishing and implementing administrative procedures for revoking authenticators; changing default content of authenticators prior to information system installation; establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if deemed to be appropriate by the organization); changing/refreshing authenticators in accordance with the organization-defined time period (by authenticator type); protecting authenticator content from unauthorized disclosure and modification; requiring users to take, and having devices implement, specific measures to safeguard authenticators; and changing authenticators for group/role accounts when membership to those accounts changes.

Examine identity verification forms for a sample of information system individuals, groups, roles or devices for evidence that the measures are being applied to verify the identity of individuals and/or devices as part of the initial authenticator distribution.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to establish initial authenticator content for authenticators defined by the organization.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to ensure authenticators have sufficient strength of mechanism for their intended use.

Examine identification and authentication policy, procedures addressing authenticator management, security plan, or other relevant documents for the administrative procedures to be employed for initial authenticator distribution.

Examine a sample of information system accounts known to be delivered with default authenticators for evidence that the measures are being applied to change default content of authenticators upon information system installation.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to establish minimum and maximum lifetime restrictions and reuse conditions for authenticators.

Examine documentation describing the current configuration settings for a sample of the mechanisms identified for evidence that these mechanisms are configured to change/refresh authenticators in accordance with the required time period and when membership to group/role accounts changes.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to protect authenticator content from unauthorized disclosure and modification.

Interview a sample of organizational personnel responsible for assigning initial individual, group, role or device authenticators for evidence that the measures are being applied to verify the identity of the individual and/or device receiving the authenticator.

Interview a sample of organization personnel responsible for determining initial authenticator content for evidence of the measures are being applied to establish initial authenticator content for authenticators defined by the organization.

Interview a sample of organization personnel responsible for initial authenticator distribution for evidence that the administrative procedures are being applied for initial authenticator distribution.

Interview a sample of organization personnel responsible for handling lost/compromised or damaged authenticators for evidence that the administrative procedures are being applied for lost/compromised or damaged authenticators.

Interview a sample of organization personnel responsible for revoking authenticators for evidence that the administrative procedures are being applied for revoking authenticators.

Interview a sample of organizational personnel with authenticator management responsibilities for evidence of the requirement for individuals, groups, roles or devices to implement specific measures to safeguard authenticators.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to establish initial authenticator content for authenticators identified by the organization.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to ensure authenticators have sufficient strength of mechanism for their intended use.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to establish minimum and maximum lifetime restrictions and reuse conditions for authenticators.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to change/refresh authenticators in accordance with the required time period and when membership to group/role accounts change.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to protect authenticator content from unauthorized disclosure and modification.

IA-5 (1)

Examine identification and authentication policy, password policy, procedures addressing authenticator management, security plan, or other relevant documents for the minimum password complexity requirements to be enforced for case sensitivity, the number of characters, and the mix of upper-case letters, lower-case letters, numbers, and special characters including minimum requirements for each type. [Minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters].

Examine identification and authentication policy, password policy, procedures addressing authenticator management, security plan, or other relevant documents for the restrictions to be enforced for password minimum lifetime and password maximum lifetime parameters. [1 Day minimum; 60 Day maximum].

Examine identification and authentication policy, password policy, procedures addressing authenticator management, security plan, or other relevant documents for the number of generations for which password reuse is to be prohibited. [twenty four].

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed, for password-based authentication, to enforce the minimum password complexity standards that meet the requirements enforce the minimum number of characters that must be changed when new passwords are created; stores and transmits only cryptographically-protected passwords; enforce the restrictions for password minimum lifetime and password maximum lifetime parameters; prohibit password reuse for the required number of generations; and allows the use of a temporary password for system logons with an immediate change to a permanent password.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as to enforce the minimum password complexity requirements. Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to enforce the minimum number of characters that must be changed when new passwords are created.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to store and transmit only cryptographically-protected passwords.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to enforce the restrictions for password minimum lifetime and password maximum lifetime parameters.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to prohibit password reuse for the required number of generations.

Examine documentation describing the current configuration settings for an agreed-upon sample of the mechanisms for evidence that these mechanisms are configured to require an immediate change to a permanent password when a temporary password is used.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to enforce the minimum password complexity requirements.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to enforce the minimum number of characters identified that must be changed when new passwords are created.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to store and transmit only cryptographically-protected passwords.

Test a sample of the mechanisms and their; conducting testing for evidence that these mechanisms are operating as intended to enforce the restrictions for password minimum lifetime and password maximum lifetime parameters.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to prohibit password reuse for the required number of generations.

Test an agreed-upon sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to require an immediate change to a permanent password if temporary passwords are used.

IA-5 (2)

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed, for PKI-based authentication, to validate certificates by constructing a certification path with status information to an accepted trust anchor including checking certificate status information; enforce authorized access to the corresponding private key; map the authenticated identity to the user account; and implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to validate certificates by constructing a certification path with status information to an accepted trust anchor, including checking certificate status information.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to enforce authorized access to the corresponding private key.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured to map the authenticated identity to the user account.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to validate certificates by constructing a certification path with status information to an accepted trust anchor, including checking certificate status information.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as to enforce authorized access to the corresponding private key.

Test a sample of the mechanisms and their configuration settings; conducting testing for evidence that these mechanisms are operating as intended to map the authenticated identity to the user account.

Test to ensure that the information system implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

IA-5 (3)

Examine identification and authentication policy, procedures addressing authenticator management, security plan, or other relevant documents for the organization-defined types of and/or specific authenticators for which the registration process must be carried out in person, before an organization-defined registration authority with authorization by organization-defined personnel or roles. [HSPD12 Smartcards].

Examine identification and authentication policy, procedures addressing authenticator management, security plan, or other relevant documents for the requirement that the registration process to receive the organization-defined types of and/or specific authenticators for which the registration process must be carried out in person, before an organization-defined registration authority with authorization by organization-defined personnel or roles.

Interview a sample of organizational personnel with authenticator management responsibilities for evidence that the registration process is being conducted according to policy and procedures.

IA-5 (4)

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the requirements to be satisfied by password authenticators and to ensure that the automated mechanisms and their configuration settings are sufficiently strong to satisfy organization-defined requirements.

Examine documentation describing the current configuration settings for a sample of the automated tools for evaluating password authenticators for evidence that these mechanisms are configured as required.

Examine documentation describing password strength assessment results or other relevant records for a sample of the automated tools for evaluating password authenticators for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel responsible for authenticator management for further evidence that the measures are being applied to ensure that the measures are being applied.

Test the automated tool to ensure support of the organizational requirements for determining if authenticators are sufficiently strong to satisfy organization-defined requirements.

IA-5 (6)

Examine identification and authentication policy, procedures addressing authenticator management, security plan, or other relevant documents for the measures to be employed to protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

Examine risk assessments, security categorization results, and authenticator protections for a sample of information being accessed for evidence that the measures are being applied.

Interview a sample of organizational personnel with authenticator management responsibilities for further evidence that the measures are being applied.

Examine Identification and authentication policy, procedures addressing authenticator management, security plan, information system design documentation, or the list of token quality requirements for the token quality requirements to be satisfied when the information system employs hardware token-based authentication and the mechanisms to be employed to satisfy organization-based token quality requirements.

Examine information system configuration settings and associated documentation for a sample of the automated mechanisms for evidence that these mechanisms are configured as required.

Examine information system audit records, or other relevant documents or records for a sample of the automated mechanisms for evidence that the measures are being applied.

Test a sample of information system capabilities implementing hardware token-based authenticator management functions; conducting testing for evidence that these mechanisms are operating as intended.

Interview a sample of operations personnel with authentication management responsibility for further evidence that the measures are being applied.

IA-5 (7)

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine information system code reviews for a sample of applications, access scripts, or function keys for evidence that the measures are being applied.

IA-5 (11)

Examine identification and authentication policy, procedures addressing authenticator management, security plan, information system design documentation, or the list of token quality requirements for the token quality requirements to be satisfied when the information system employs hardware token-based authentication and the mechanisms to be employed to satisfy organization-based token quality requirements.

Examine information system configuration settings and associated documentation for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine information system audit records or other relevant documents or records for a sample of the mechanisms for evidence that the measures are being applied.

Test a sample of information system capabilities implementing hardware token-based authenticator management functions for evidence that these mechanisms are operating as intended.

Interview a sample of operations personnel with authentication management responsibility for further evidence that the measures are being applied.

IA-6

Examine security plan, information system design documentation, or other relevant documents for the automated mechanisms and their configuration settings to be employed to obscure feedback of authentication information during the authentication process.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

IA-7

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to authenticate to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

IA-8

Examine security plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

Note to assessor: Non-organizational users include all information system users other than organizational users explicitly covered by IA-2.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Test a sample of the mechanisms and their configuration settings for evidence that these mechanisms are operating as intended.

IA-8 (1)

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the automated mechanisms and their configuration settings to be employed to accept and electronically verify PIV credentials from other federal agencies.

IA-8 (2)

Examine identification and authentication policy, procedures addressing user identification and authentication, information system design documentation, security plan, or other relevant documents for the automated mechanisms and their configuration settings to be employed to accept only FICAM-approved third party credentials.

Examine information system audit records, list of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization, third-party credential verification records; evidence of FICAM-approved third-party credentials, third-party credential authorizations, other relevant documents or records for a sample of information system users for evidence that the measures are being applied.

IA-8 (3)

Examine identification and authentication policy, system and services acquisition policy; procedures addressing user identification and authentication, procedures addressing the integration of security requirements into the acquisition process, and information system design documentation for the list of information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials.

Examine the information system configuration settings and associated documentation, the list of FICAM-approved information system components procured and implemented by organization, acquisition documentation, and acquisition contracts for information system procurements or services for evidence that these mechanisms are configured as required.

Examine the information system audit records; third-party credential validations third-party credential authorizations, and third-party credential records for evidence that the measures are being applied.

Test a sample of automated mechanisms implementing identification and authentication capability for the information system; conducting testing for evidence that these mechanisms are operating as intended.

Interview a sample of organizational personnel with identification and authentication management responsibilities for further evidence that the measures are being applied.

Interview a sample of organizational personnel with information system security, acquisition, and contracting responsibilities for further evidence that the measures are being applied.

IA-8 (4)

Examine identification and authentication policy, system and services acquisition policy; procedures addressing user identification and authentication, procedures addressing the integration of security requirements into the acquisition process, and information system design documentation for the measures employed to ensure that the information system conforms to FICAM-issued profiles.

Examine the information system configuration settings and associated documentation; list of FICAM-issued profiles and associated, approved protocols, acquisition documentation, acquisition for information system procurements or services for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel with identification and authentication management responsibilities for further evidence that the measures are being applied.

Interview a sample of organizational personnel with information system security, acquisition, and contracting responsibilities for further evidence that the measures are being applied.

Incident Response (IR)

IR-1

Examine information security program documentation for the organization incident response policy and that the incident response policy is reviewed and updated at least every three years.

Examine organization incident response policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

Examine information system program documentation for procedures that facilitate the implementation of the incident response policy and procedures are reviewed and updated at least annually.

Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response policy is to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy was disseminated to the organizational elements.

Examine information security program documentation for the organization incident response procedures.

Examine organization incident response procedures for evidence that the procedures facilitate implementation of the incident response policy and associated incident response controls.

Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response procedures are to be disseminated or otherwise made available.

Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy is reviewed and updated at least every three years, and the procedures at least annually.

IR-2

Examine incident response policy, procedures addressing incident response training, incident response plan, or other relevant documents for organizational personnel (identified by name and/or by role) with incident response roles and responsibilities with respect to the information system.

Examine incident response policy, procedures addressing incident response training, incident response plan, or other relevant documents for the measures to be employed to provide incident response training to the organizational personnel within an organization-defined time period of assuming an incident response role or responsibility.

Examine training records for a sample of organizational personnel for evidence that the measures are being applied.

Examine incident response policy, procedures addressing incident response training, incident response plan, or other relevant documents for the frequency of refresher incident response training. [at least annually] or when required by information system changes.

Examine training records for a sample of the organizational personnel for evidence that refresher incident response training is provided in accordance with the required frequency.

Interview a sample of organizational personnel with incident response training and operational responsibilities for further evidence that training is conducted according to policy.

IR-3

Examine incident response policy, procedures addressing incident response testing/exercises, incident response plan, or other relevant documents for the incident response tests/exercises to be conducted for the information system. The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended) and provides test plans to JAB annually. Test plans are approved and accepted by the JAB prior to test commencing.

Examine incident response policy, procedures addressing incident response testing/exercises, incident response plan, or other relevant documents for the frequency of incident response tests/exercises. [at least annually].

Examine a sample of incident response tests/exercises conducted for the information system for evidence that the organization tests/exercises the incident response capability, in accordance with the required frequency identified, to document the results and determine incident response effectiveness.

Interview a sample of organizational personnel responsible for testing/exercising the incident response capability for the information system for further evidence that the organization documents the results of incident response tests/exercises in accordance with the required frequency.

Interview a sample of organizational personnel responsible for testing/exercising the incident response capability for the information system for further evidence that the organization determines the effectiveness of the incident response capability using tests/exercises in accordance with the required frequency.

IR-3 (2)

Interview individuals that possess incident response responsibility to determine if coordination among organizational elements responsible for related plans (related to the incident response plan) follows the standard organizational incident response lifecycle stage process progression.

Examine the incident response testing after action reports to determine to determine if coordination among organizational elements responsible for related plans (related to the incident response plan) follows the standard organizational incident response lifecycle stage process progression.

IR-4

Examine incident response policy, procedures addressing incident handling, incident response plan, or other relevant documents for the measures to be employed to implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication; and recovery.

The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system and define roles and clearance level of the responsible person per shift. Potentially use “commensurate with threat (i.e. Secret Clearance).”

Examine incident handling records and any problem records, change control records, incident response test/exercise records, or other relevant documents associated with a sample of security incidents for the information system for evidence that the measures are being applied to prepare, detect and analyze, contain, eradicate, and recover from security incidents.

Interview a sample of organizational personnel with incident handling responsibilities for evidence that the measures are being applied.

Test the incident handling capability using a sample of simulated events or conditions for evidence that the measures are being applied as intended to prepare for, detect and analyze, contain, eradicate, and recover from security incidents.

Examine incident response policy, contingency planning policy, procedures addressing incident handling, procedures addressing contingency operations, incident response plan, contingency plan, or other relevant documents for the measures to be employed to coordinate incident handling activities with contingency planning activities.

Examine a sample of meeting minutes, meeting agendas, status reports, or other relevant documents associated with coordinating incident handling and contingency planning activities for evidence that the measures are being applied.

Interview a sample of organizational personnel with incident handling responsibilities and organizational personnel with contingency planning responsibilities for further evidence that the measures are being applied to coordinate incident handling activities with contingency planning activities.

Examine incident response policy, procedures addressing incident handling, incident response plan, or other relevant documents for the measures to be employed to incorporate lessons learned from ongoing incident handling activities into incident response procedures, training; and testing/exercises.

Examine incident response procedures and a sample of change control records addressing lessons learned from ongoing incident response activities for evidence that the measures are being applied to incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.

Note to assessor: Change control records addressing revisions to incident response procedures may be maintained in the incident response plan, or maintained in change management software or document management software used by the organization.

Interview a sample of organizational personnel with incident handling responsibilities for evidence that the organization implements the resulting changes to incident response procedures, training, and testing/exercises accordingly.

IR-5

Examine incident response policy, procedures addressing incident monitoring, incident response plan, or other relevant documents for the measures to be employed to track and document information system security incidents.

Examine a sample of incident monitoring records, information system monitoring records, information system audit records, or other relevant documents for evidence that the measures are being applied.

Interview a sample of organizational personnel with incident monitoring responsibilities for evidence that the measures are being applied.

Test incident monitoring capability for the information system using a sample of simulated events or conditions for evidence that the measures are being applied as intended.

IR-6

Examine incident response policy, procedures addressing incident reporting, incident response plan, or other relevant documents for the time period required to report suspected security incidents to the organizational incident response capability. Incidents involving systems supporting Federal data shall be reported using US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended).

Examine incident response policy, procedures addressing incident reporting, incident response plan, or other relevant documents for the requirement that personnel are to report suspected security incidents to the organizational incident response capability within the organization-defined time period.

Interview a sample of organizational personnel with incident reporting responsibilities for further evidence that personnel are required to report suspected security incidents to the organizational response capability within the organization-defined time period.

Examine incident response policy, procedures addressing incident reporting, incident response plan, or other relevant documents for the organization-defined authorities to whom security incident information should be reported.

Examine incident response policy, procedures addressing incident reporting, incident response plan, or other relevant documents for the measures to be employed to report security incident information to the authorities. Examine a sample of security incident reports or other relevant security incident information provided to the authorities for evidence that the measures are being applied.

Interview a sample of organizational personnel with incident reporting responsibilities and the authorities for evidence that the measures are being applied.

IR-6 (1)

Examine incident response plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to support the incident reporting process.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured as required.

Examine a sample of information system reports generated by the mechanisms for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel with incident reporting responsibilities for further evidence that the mechanisms and configurations are being applied.

IR-7

Examine incident response policy, procedures addressing incident response assistance, incident response plan, or other relevant documents for an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

Examine a sample of incident response records for the information system users associated with the security incidents and for the incident response support personnel providing the resources.

Interview a sample of information system users and incident response support personnel for evidence that the incident response support resource provides advice and assistance for the handling and reporting of security incidents.

Examine incident response policy, procedures addressing incident response assistance, incident response plan, or other relevant documents for evidence that the incident response support resource is an integral part of the organization’s incident response capability.

IR-7 (1)

Examine incident response plan, information system design documentation, or other relevant documents for the mechanisms and their configuration settings to be employed to increase the availability of incident response-related information and support.

Examine documentation describing the current configuration settings for a sample of the mechanisms for evidence that these mechanisms are configured required.

Examine a sample of information system reports generated by the mechanisms for the information system users previously supported or assisted by these mechanisms and for evidence that these mechanisms are configured as required.

Interview a sample of organizational personnel with incident response support and assistance responsibilities and information system users for evidence that the mechanisms and configurations are being applied.

IR-7 (2)

Examine incident response plan or other relevant documents for external providers of information system protection capability.

Examine incident response policy, procedures addressing incident response assistance, incident response plan, or other relevant documents for the measures to be employed to establish a direct, cooperative relationship between the organization’s incident response capability and the external providers.

Examine memoranda of agreement between the organization and a sample of external service providers for evidence that the measures are being applied.

Interview a sample of organizational personnel with incident response support and assistance responsibilities and/or external service providers for further evidence that the measures are being applied.

Examine memoranda of agreement, or other relevant documents for evidence that the organization identifies incident response team members to the external providers.

IR-8

Examine incident response documentation for an incident response plan.

Examine incident response plan for evidence that the plan provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; provides a high-level approach for how the incident response capability fits into the overall organization; meets the unique requirements of the organization, which relate to mission, size, structure, and functions; defines reportable incidents; provides metrics for measuring the incident response capability within the organization; defines the resources and management support needed to effectively maintain and mature an incident response capability; and is reviewed and approved by organization-defined personnel or roles.

Examine incident response plan or other relevant documents for indication of dissemination of the plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated JAB personnel.

Interview a sample of organizational personnel and organizational elements for evidence that these individuals received copies of the incident response plan.

Examine incident response plan or other relevant documents for the frequency of incident response plan reviews. [at least annually].

Examine incident response plan and other relevant documents resulting from incident response plan reviews for evidence that the plan is reviewed in accordance with the organization-defined frequency.

Examine incident response policy, procedures addressing incident response assistance, incident response plan, or other relevant documents for the measures to be employed to update the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing and that incident response plan changes are communicated to the Authorizing Authority.

Examine incident response plan and a sample of change control records addressing incident response plan revisions from system/organizational changes for evidence that the measures are being applied.

Note to assessor: Change control records addressing incident response plan revisions may be maintained in the incident response plan, or maintained in change management software or document management software used by the organization.

Examine incident response plan and a sample of change control records addressing incident response plan revisions from problems encountered during plan implementation, execution, or testing for evidence that the measures being applied.

Interview a sample of organizational personnel and organizational elements for evidence that incident response plan changes are communicated to organizational personnel and organizational elements.

Examine organization incident response policy and other documentation for the response to information spills which lists the types of information that may be involved in information system contamination.

Examine organization incident response policy and other documentation for the response to information spills by alerting the organizational-defined personnel or roles by a means not associated with the information spill.

Examine organization incident response policy and other documentation for the response to information spills for isolation methods and requirements for contaminated information systems.

Examine organization incident response policy and other documentation for the response to information spills for eradication methods and requirements for information causing contamination of the information system.

Examine organization incident response policy and other documentation for methods and techniques used to identify other information systems or components that may have been subsequently contaminated.

Examine organization incident response policy and other documentation for the response to information spills for other organization defined actions to be performed in the event of an information spill.

IR-9 (1)

Examine organization incident response policy for evidence that the policy addresses organization defined personnel responsible for information spill response and defined personnel are identified and aware of responsibility for responding to information spills

Examine past performance reviews or incident response reports for evidence of notifications to organization defined personnel of an information spill.

IR-9 (2)

Examine organization incident response policy for evidence that the policy requires the organization to provide information spillage response training at least annually.

Examine past performance reviews and training history for evidence that information spillage response training is being performed in accordance with defined frequencies.

IR-9 (3)

Examine organization incident response procedure for evidence that the organization ensures personnel impacted by information spills can continue assigned tasks while contaminated systems are undergoing corrective actions.

Examine past performance reviews and/or incident response reports to ensure defined procures allow personnel affected by information spills to continue performing assigned tasks while contaminated systems are being remediated. In addition, the organization uses backup systems that may not have been contaminated and/or alternate methods of performing assigned tasks.

Examine contingency plan for evidence of procedures ensuring personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

IR-9 (4)

Examine organization incident response procedure for evidence that the organization implements security safeguards for personnel exposed to information that is not within their assigned access authorization.

Interview personnel responsible for implementing safeguards for personnel exposed to information that is not within their assigned access authorization.

FedRAMP Assessment Process and Templates

Executive summary

Table of Contents

How to contact us

Access Control (AC)

AC-1

AC-2

AC-2 (1)

AC-2 (2)

AC-2 (3)

AC- 2 (4)

AC-2 (5)

AC-2 (7)

AC-2 (9)

AC-2 (10)

AC-2 (12)

AC-3

AC-4

AC-4 (21)

AC-5

AC-6

AC-6 (1)

AC-6 (2)

AC-6 (5)

AC-6 (9)

AC-6 (10)

AC-7

AC-8

AC-10

AC-11

AC-11(1)

AC-12

AC-14

AC-17

AC-17 (1)

AC-17 (2)

AC-17 (3)

AC-17 (4)

AC-17 (9)

AC-18

AC-18 (1)

AC-19

AC-19 (5)

AC-20

AC-20 (1)

AC-20 (2)

AC-21

AC-22

Awareness and Training (AT)

AT-1

AT-2

AT-2 (2)

AT-3

AT-4

Audit and Accountability (AU)

AU-1

AU-2

AU-2 (3)

AU-3

AU-3 (1)

AU-4

AU-5

AU-6

AU-6 (1)

AU-6 (3)

AU-7

AU-7 (1)

AU-8

AU-8 (1)

AU-9

AU-9 (2)

AU-9 (4)

AU-11

AU-12

Security Assessment and Authorization (CA)

CA-1

CA-2

CA-2 (1)

CA-2 (2)

CA-2 (3)